search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.7k stars 3.93k forks source link

aws_secretsmanager: Secret fails if it ends with a hyphen and 6 digit like "-[0-9a-f]{6}" #27530

Closed zhahaoyu closed 1 year ago

zhahaoyu commented 1 year ago

Describe the bug

I have spent hours debugging this issue and finally found this bug.

When a secret is created with a name ending "-[0-9a-f]{6}", for my specific examples, I named the secret "xyz-secret" and "xyz-google".

When I used it as a secret for my LoadBalancedApplicationService, it keeps getting AccessDeniedException, but the secret with fewer digit works just fine.

                        secrets: {
                            SECRET1: aws_ecs.Secret.fromSecretsManager(
                                aws_secretsmanager.Secret.fromSecretNameV2(this,
                                    'SEC1',
                                    `xyz-secret`)),
                            SECRET1: aws_ecs.Secret.fromSecretsManager(
                                aws_secretsmanager.Secret.fromSecretNameV2(this,
                                    'SEC2',
                                    `xyz-creds`)),

I am suspecting that there is a hard-coded rule somewhere that makes a special treatment for "-[0-9a-f]{6}".

Expected Behavior

It should work fine

Current Behavior

It reports AccessDeniedException

Reproduction Steps

  1. Create a secret ending "-secret"
  2. Inject it to LoadBalancedApplicationService
  3. Observe

Possible Solution

  1. (best) Fix the hard-coded logic to treat the last 6 digit differently, or
  2. Enforce naming requirement not to have "-[0-9a-f]{6}" when a secret is being created, or
  3. Fix CDK

Additional Information/Context

No response

CDK CLI Version

2.99.1 (build b2a895e)

Framework Version

No response

Node.js Version

16

OS

mac os

Language

TypeScript

Language Version

No response

Other information

No response

peterwoodworth commented 1 year ago

Thanks for the bug report, the docs call this out and say to use fromSecretCompleteArn() instead

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html#static-fromwbrsecretwbrnamewbrv2scope-id-secretname

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.