aws/aws-cdk

(Secrets Manager): Access hosted rotation lambda role

Open

#22,051 opened on Sep 15, 2022

View on GitHub
 (7 comments) (5 reactions) (1 assignee)TypeScript (10,710 stars) (3,530 forks)batch import
@aws-cdk/aws-iameffort/smallfeature-requestgood first issueneeds-cfnp2

Description

Describe the feature

In the case of HostedRotation being used for the secret (f.e. PostgreSqlSingleUser) there is no way to access rotation lambda IAM role ARN or Name. It would be good to have a property that returns rotation lambda role ARN or the ability to define rotation lambda role Name

Use Case

It will be helpful in case when I need to limit access to the secret to specific principals. F.e. in the case of secret that stores credentials to the RDS database root user I want to limit access to these credentials to the list of administrator IAM roles and rotation lambda. F.e.:

secret.add_to_resource_policy(iam.PolicyStatement.from_json({
      'Effect': 'Deny',

      'Principal': '*',

      'Action': 'secretsmanager:*',

      'Resource': '*',

      'Condition': {
        'StringNotLike': {
          'aws:PrincipalArn': [
            'ADMIN_1_ARN',
            'ADMIN_2_ARN',
            'ROTATION_LAMBDA_ROLE_ARN'
          ]
        }
      }
    }))

Proposed Solution

  1. Allow to define rotation function IAM role name. F.e:
HostedRotation      = HostedRotation.PostgreSqlSingleUser(new SingleUserHostedRotationOptions {
  FunctionName  = "database-root-user-secret-rotation",

  FunctionRoleName  = "database-root-user-secret-rotation-role",

  ...
}),
  1. Allow to get rotation function IAM role ARN. F.e.
rotation = HostedRotation.PostgreSqlSingleUser()
role_arn = rotation.RoleArn

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.41.0

Environment details (OS name and version, etc.)

OS: windows; lang: python

Contributor guide

Tech stack
typescriptaws
Domain
backendcloudsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
AWS CDK basicsTypeScript
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue requests adding a property to access the rotation lambda IAM role ARN/name in the CDK Secrets Manager HostedRotation construct. Review the CDK source code in the `aws cdk lib/aws secretsmanager` package, specifically the `HostedRotation` class and its associated interface. Check if there is an existing linked PR or discussion about implementation. The proposed solutions involve adding a `FunctionRoleName` option and a `roleArn` property. Look for related issues or comments from maintainers about feasibility.
(Secrets Manager): Access hosted rotation lambda role · aws/aws-cdk#22051 | Good First Issue