search

nitrictech / cli

Nitric CLI. Manage and run Nitric apps locally and deploy to any cloud.
https://nitric.io
Apache License 2.0
26 stars 10 forks source link

when a stack is deleted and re-created the secret PUT is failing on permission denied #390

Closed asalkeld closed 2 years ago

asalkeld commented 2 years ago

Bug Report

Issue

message:"unable to put secret" cause:"AccessDeniedException: User: arn:aws:sts::932721839758:assumed-role/controllerLambdaRole-bb69298/controller-74d1ffc is not authorized to perform: secretsmanager:PutSecretValue on resource: arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-8d3eead-RCdYvj because no identity-based policy allows the secretsmanager:PutSecretValue action\n\tstatus code: 400, request id: cb77c811-b4b1-4df2-bcc2-256b7cc1ed7e" scope:{service:"SecretService.Put" plugin:"SecretManagerSecretService.Put" args:{key:"secret" value:"{Name: safe}"}} | message:"unable to put secret" cause:"AccessDeniedException: User: arn:aws:sts::932721839758:assumed-role/controllerLambdaRole-bb69298/controller-74d1ffc is not authorized to perform: secretsmanager:PutSecretValue on resource: arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-8d3eead-RCdYvj because no identity-based policy allows the secretsmanager:PutSecretValue action\n\tstatus code: 400, request id: cb77c811-b4b1-4df2-bcc2-256b7cc1ed7e"

the problem is that arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-8d3eead-RCdYvj is from the deleted stack. the secret has been deleted, but the get-resources is returning deleted secrets

The below command should only return one secret (the console shows one secret)...

aws resourcegroupstaggingapi get-resources --resource-type-filters secretsmanager:secret  --tag-filters Key=x-nitric-name,Values=safe --region ap-southeast-2
ResourceTagMappingList:
- ResourceARN: arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-a48776f-bIaImY
  Tags:
  - Key: x-nitric-stack
    Value: testr-aws
  - Key: x-nitric-project
    Value: testr
  - Key: x-nitric-name
    Value: safe
- ResourceARN: arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-d4081a4-6gz2Yp
  Tags:
  - Key: x-nitric-stack
    Value: testr-aws
  - Key: x-nitric-project
    Value: testr
  - Key: x-nitric-name
    Value: safe
- ResourceARN: arn:aws:secretsmanager:ap-southeast-2:932721839758:secret:safe-8d3eead-RCdYvj
  Tags:
  - Key: x-nitric-stack
    Value: testr-aws
  - Key: x-nitric-project
    Value: testr
  - Key: x-nitric-name
    Value: safe

see https://repost.aws/questions/QUcinjyU36SBSmcYA8eYJf0Q/only-get-existing-resources-with-resource-group-tagging-api

asalkeld commented 2 years ago

Note in the console you can go to the secrets settings page and select "show secrets scheduled for deletion"

then this matches the above output. seems like it can take many days to delete..

image

nitric-bot commented 2 years ago

:tada: This issue has been resolved in version 1.14.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: