amazon-web-servicesaws-cdkaws-secrets-manager

How to get full arn when writing secret based IAM policy in AWS CDK


I am trying to create a permission set in cdk that grants GetSecretValue access to a specific secret. I get that secret by its name, using Secret.fromSecretNameV2. I know that when I get it by name, the full arn is not available, and so appending '-??????' to the resource arn when creating the policy works.

However, is there a prettier solution? This looks hacky.

The following is my current solution, which works, but doesn't feel ideal.

import { PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { CfnPermissionSet } from 'aws-cdk-lib/aws-sso';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';

      const databaseSecretName = `database-host`;
      const databaseSecret = Secret.fromSecretNameV2(
        this,
        'databaseSecret',
        databaseSecretName
      );

      const policy = new PolicyDocument({
        statements: [
          new PolicyStatement({
            actions: ['secretsmanager:GetSecretValue'],
            effect: Effect.ALLOW,
            resources: [databaseSecret.secretArn + '-??????'],
            sid: 'AllowDatabaseSecretReading',
          }),
        ],
      });

      new CfnPermissionSet(this, `PermissionSet`, {
        description: `blabla`,
        inlinePolicy: policy,
        instanceArn: prodIamIdentityCenterArn,
        managedPolicies: ['arn:aws:iam::aws:policy/ReadOnlyAccess'],
        name: this.name,
      });

Any tips are appreciated! Thanks!

I tried accessing databaseSecret.secretFullArn, but it's undefined. This is in line with what the documentation says about secrets fetched by name.


Solution

  • I guess the solution is just to leave it like proposed. It initially didn't feel right to me, but it works and other people have confirmed that there's nothing wrong with that approach of manually appending the '-??????' suffix