Open rix0rrr opened 2 years ago
Based on my understanding of the current implementations of secretsmanager.Secret
and cdk.SecretValue
, this may make it impossible to create a JSON object (as shown in the SecretStringValueBeta1.fromToken
docs when this Feature Flag is enabled.
SecretValue.resourceAttribute
is far more strict than secretsmanager.SecretStringValueBeta1.fromToken
was as the former uses Tokenization.reverseCompleteString
whereas the latter just checks Token.isUnresolved
.
The most direct translation would seem like it'd be something along the lines of:
const user = new iam.User(this, 'User');
const accessKey = new iam.AccessKey(this, 'AccessKey', { user });
const secretValue = secretsmanager.Secret(this, 'Secret', {
secretStringValue: cdk.SecretValue.resourceAttribute(JSON.stringify({
username: user.userName,
database: 'foo',
password: accessKey.secretAccessKey.unsafeUnwrap(),
}))
});
Which fails because the JSON object isn't entirely a Token, it's a concatenation (with the braces, commas, keys, and such). Therefore, the only possible translation of that example leverages unsafePlainText
:
const secretValue = secretsmanager.Secret(this, 'Secret', {
secretStringValue: cdk.SecretValue.unsafePlainText(JSON.stringify({
username: user.userName,
database: 'foo',
password: accessKey.secretAccessKey.unsafeUnwrap(),
}))
});
Storing JSON objects in secrets is a very common practice (and, in fact, is the default in the Console). It may be counterintuitive for users with a non-simple-string Secret to need to flip a feature flag that would also enable truly dangerous behavior.
Describe the feature
By request of the Secrets Manager team, use of
SecretValue.unsafePlainText()
needs to be discouraged even more.We'll add a feature flag:
That users will have to explicitly turn off to be able to call the plaintext constructor for SecretValue.
While we're at it, let's also record metadata into the resulting CFN template that an unsafe secret was rendered literally into the template.
Use Case
Make sure that users don't commit secrets to source control.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
-
Environment details (OS name and version, etc.)
-