aws/aws-cdk

(Secrets Manager): Access hosted rotation lambda role

Open

#22,051 opened on Sep 15, 2022

View on GitHub
 (7 comments) (5 reactions) (1 assignee)TypeScript (3,530 forks)batch import
@aws-cdk/aws-iameffort/smallfeature-requestgood first issueneeds-cfnp2

Repository metrics

Stars
 (10,710 stars)
PR merge metrics
 (Avg merge 14d 11h) (68 merged PRs in 30d)

Description

Describe the feature

In the case of HostedRotation being used for the secret (f.e. PostgreSqlSingleUser) there is no way to access rotation lambda IAM role ARN or Name. It would be good to have a property that returns rotation lambda role ARN or the ability to define rotation lambda role Name

Use Case

It will be helpful in case when I need to limit access to the secret to specific principals. F.e. in the case of secret that stores credentials to the RDS database root user I want to limit access to these credentials to the list of administrator IAM roles and rotation lambda. F.e.:

secret.add_to_resource_policy(iam.PolicyStatement.from_json({
      'Effect': 'Deny',

      'Principal': '*',

      'Action': 'secretsmanager:*',

      'Resource': '*',

      'Condition': {
        'StringNotLike': {
          'aws:PrincipalArn': [
            'ADMIN_1_ARN',
            'ADMIN_2_ARN',
            'ROTATION_LAMBDA_ROLE_ARN'
          ]
        }
      }
    }))

Proposed Solution

  1. Allow to define rotation function IAM role name. F.e:
HostedRotation      = HostedRotation.PostgreSqlSingleUser(new SingleUserHostedRotationOptions {
  FunctionName  = "database-root-user-secret-rotation",

  FunctionRoleName  = "database-root-user-secret-rotation-role",

  ...
}),
  1. Allow to get rotation function IAM role ARN. F.e.
rotation = HostedRotation.PostgreSqlSingleUser()
role_arn = rotation.RoleArn

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.41.0

Environment details (OS name and version, etc.)

OS: windows; lang: python

Contributor guide