search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.84k forks source link

(aws-rds): grantConnect for DatabaseProxy yields incorrect policy #12415

Closed jdvornek closed 3 years ago

jdvornek commented 3 years ago

Originally from a comment in #11851.

DatabaseProxy::grantConnect() generates a Policy that includes a resource referring to the DatabaseProxy itself. Per the documentation, the resource should be constructed to allow access to the rds-db service and also include the database user from the proxy secret.

Reproduction Steps

const {App, Stack} = require('@aws-cdk/core');
const {Role, ServicePrincipal} = require('@aws-cdk/aws-iam');
const {Vpc} = require('@aws-cdk/aws-ec2');
const {DatabaseCluster, DatabaseClusterEngine, AuroraMysqlEngineVersion} = require('@aws-cdk/aws-rds');

const app = new App();

class DBPermTestStack extends Stack {
  constructor(scope, id) {
    super(scope, id);
    const vpc = new Vpc(this, 'VPC');
    const db = new DatabaseCluster(this, 'DB', {
      engine: DatabaseClusterEngine.auroraMysql({version: AuroraMysqlEngineVersion.VER_2_09_1}),
      instanceProps: {
        vpc
      }
    });
    const proxy = db.addProxy('Proxy', {
      secrets: [db.secret],
      vpc,
      iamAuth: true
    });
    const role = new Role(this, 'Role', {
      assumedBy: new ServicePrincipal('ecs-tasks.amazonaws.com')
    });
    proxy.grantConnect(role);
  }
}
new DBPermTestStack(app, 'PermissionsTest');

What did you expect to happen?

I expected a Policy as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:us-west-2:0123456789100:dbuser:prx-012345678910/admin",
            "Effect": "Allow"
        }
     ]
 }

What actually happened?

A Policy was generated as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds:us-west-2:0123456789100:db-proxy:prx-012345678910",
            "Effect": "Allow"
        }
    ]
}

Environment

Other

DatabaseProxy::grantConnect() was requested in #10133 and merged in #12243.

This is :bug: Bug Report

github-actions[bot] commented 3 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

cad0p commented 1 year ago

It's fixed