aws/aws-cdk

(Secrets Manager): Access hosted rotation lambda role

Open

#22,051 创建于 2022年9月15日

在 GitHub 查看
 (7 评论) (5 反应) (1 负责人)TypeScript (3,530 fork)batch import
@aws-cdk/aws-iameffort/smallfeature-requestgood first issueneeds-cfnp2

仓库指标

Star
 (10,710 star)
PR 合并指标
 (平均合并 14天 11小时) (30 天内合并 68 个 PR)

描述

Describe the feature

In the case of HostedRotation being used for the secret (f.e. PostgreSqlSingleUser) there is no way to access rotation lambda IAM role ARN or Name. It would be good to have a property that returns rotation lambda role ARN or the ability to define rotation lambda role Name

Use Case

It will be helpful in case when I need to limit access to the secret to specific principals. F.e. in the case of secret that stores credentials to the RDS database root user I want to limit access to these credentials to the list of administrator IAM roles and rotation lambda. F.e.:

secret.add_to_resource_policy(iam.PolicyStatement.from_json({
      'Effect': 'Deny',

      'Principal': '*',

      'Action': 'secretsmanager:*',

      'Resource': '*',

      'Condition': {
        'StringNotLike': {
          'aws:PrincipalArn': [
            'ADMIN_1_ARN',
            'ADMIN_2_ARN',
            'ROTATION_LAMBDA_ROLE_ARN'
          ]
        }
      }
    }))

Proposed Solution

  1. Allow to define rotation function IAM role name. F.e:
HostedRotation      = HostedRotation.PostgreSqlSingleUser(new SingleUserHostedRotationOptions {
  FunctionName  = "database-root-user-secret-rotation",

  FunctionRoleName  = "database-root-user-secret-rotation-role",

  ...
}),
  1. Allow to get rotation function IAM role ARN. F.e.
rotation = HostedRotation.PostgreSqlSingleUser()
role_arn = rotation.RoleArn

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.41.0

Environment details (OS name and version, etc.)

OS: windows; lang: python

贡献者指南