(Secrets Manager): Access hosted rotation lambda role
#22 051 ouverte le 15 sept. 2022
Métriques du dépôt
- Stars
- (10 710 stars)
- Métriques de merge PR
- (Merge moyen 14j 11h) (68 PRs mergées en 30 j)
Description
Describe the feature
In the case of HostedRotation being used for the secret (f.e. PostgreSqlSingleUser) there is no way to access rotation lambda IAM role ARN or Name. It would be good to have a property that returns rotation lambda role ARN or the ability to define rotation lambda role Name
Use Case
It will be helpful in case when I need to limit access to the secret to specific principals. F.e. in the case of secret that stores credentials to the RDS database root user I want to limit access to these credentials to the list of administrator IAM roles and rotation lambda. F.e.:
secret.add_to_resource_policy(iam.PolicyStatement.from_json({
'Effect': 'Deny',
'Principal': '*',
'Action': 'secretsmanager:*',
'Resource': '*',
'Condition': {
'StringNotLike': {
'aws:PrincipalArn': [
'ADMIN_1_ARN',
'ADMIN_2_ARN',
'ROTATION_LAMBDA_ROLE_ARN'
]
}
}
}))
Proposed Solution
- Allow to define rotation function IAM role name. F.e:
HostedRotation = HostedRotation.PostgreSqlSingleUser(new SingleUserHostedRotationOptions {
FunctionName = "database-root-user-secret-rotation",
FunctionRoleName = "database-root-user-secret-rotation-role",
...
}),
- Allow to get rotation function IAM role ARN. F.e.
rotation = HostedRotation.PostgreSqlSingleUser()
role_arn = rotation.RoleArn
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
2.41.0
Environment details (OS name and version, etc.)
OS: windows; lang: python