Skip to content

Commit c17dbde

Browse files
scubscub
authored
fix(rds): proxy target is missing KMS permissions (#28858)
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`. ``` Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05" ``` Reproduction steps ``` const vpc = new Vpc(stack, 'Vpc'); const kmsKey = new Key(stack, 'Key'); const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey}); const cluster = new rds.DatabaseCluster(stack, 'Database', { engine: rds.DatabaseClusterEngine.AURORA, instanceProps: { vpc }, }); new rds.DatabaseProxy(stack, 'Proxy', { proxyTarget: rds.ProxyTarget.fromCluster(cluster), debugLogging: true, vpc, secrets: [kmsEncryptedSecret], }); ``` This is my first CDK PR, i've run the following: ``` yarn install npx lerna run build --scope=aws-cdk-lib cd packages/aws-cdk-lib npx yarn test aws-rds npx yarn lint aws-rds npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts # Running integration tests cd ../../ npx lerna run build --scope=@aws-cdk-testing/framework-integ cd packages/@aws-cdk-testing/framework-integ npx yarn integ test/aws-rds/test/*.js --update-on-failed ``` Closes #28850 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 2bf6d82 commit c17dbde

File tree

10 files changed

+335
-8
lines changed

10 files changed

+335
-8
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.assets.json

+3-3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/aws-cdk-rds-proxy.template.json

+126
Original file line numberDiff line numberDiff line change
@@ -391,6 +391,116 @@
391391
}
392392
}
393393
},
394+
"SecretEncryptionKey40C82244": {
395+
"Type": "AWS::KMS::Key",
396+
"Properties": {
397+
"KeyPolicy": {
398+
"Statement": [
399+
{
400+
"Action": "kms:*",
401+
"Effect": "Allow",
402+
"Principal": {
403+
"AWS": {
404+
"Fn::Join": [
405+
"",
406+
[
407+
"arn:",
408+
{
409+
"Ref": "AWS::Partition"
410+
},
411+
":iam::",
412+
{
413+
"Ref": "AWS::AccountId"
414+
},
415+
":root"
416+
]
417+
]
418+
}
419+
},
420+
"Resource": "*"
421+
},
422+
{
423+
"Action": [
424+
"kms:CreateGrant",
425+
"kms:Decrypt",
426+
"kms:DescribeKey",
427+
"kms:Encrypt",
428+
"kms:GenerateDataKey*",
429+
"kms:ReEncrypt*"
430+
],
431+
"Condition": {
432+
"StringEquals": {
433+
"kms:ViaService": {
434+
"Fn::Join": [
435+
"",
436+
[
437+
"secretsmanager.",
438+
{
439+
"Ref": "AWS::Region"
440+
},
441+
".amazonaws.com"
442+
]
443+
]
444+
}
445+
}
446+
},
447+
"Effect": "Allow",
448+
"Principal": {
449+
"AWS": {
450+
"Fn::Join": [
451+
"",
452+
[
453+
"arn:",
454+
{
455+
"Ref": "AWS::Partition"
456+
},
457+
":iam::",
458+
{
459+
"Ref": "AWS::AccountId"
460+
},
461+
":root"
462+
]
463+
]
464+
}
465+
},
466+
"Resource": "*"
467+
},
468+
{
469+
"Action": "kms:Decrypt",
470+
"Condition": {
471+
"StringEquals": {
472+
"kms:ViaService": {
473+
"Fn::Join": [
474+
"",
475+
[
476+
"secretsmanager.",
477+
{
478+
"Ref": "AWS::Region"
479+
},
480+
".amazonaws.com"
481+
]
482+
]
483+
}
484+
}
485+
},
486+
"Effect": "Allow",
487+
"Principal": {
488+
"AWS": {
489+
"Fn::GetAtt": [
490+
"dbProxyIAMRole662F3AB8",
491+
"Arn"
492+
]
493+
}
494+
},
495+
"Resource": "*"
496+
}
497+
],
498+
"Version": "2012-10-17"
499+
}
500+
},
501+
"UpdateReplacePolicy": "Retain",
502+
"DeletionPolicy": "Retain"
503+
},
394504
"dbInstanceSubnetGroupD062EC9E": {
395505
"Type": "AWS::RDS::DBSubnetGroup",
396506
"Properties": {
@@ -471,6 +581,12 @@
471581
"GenerateStringKey": "password",
472582
"PasswordLength": 30,
473583
"SecretStringTemplate": "{\"username\":\"master\"}"
584+
},
585+
"KmsKeyId": {
586+
"Fn::GetAtt": [
587+
"SecretEncryptionKey40C82244",
588+
"Arn"
589+
]
474590
}
475591
},
476592
"UpdateReplacePolicy": "Delete",
@@ -567,6 +683,16 @@
567683
"Resource": {
568684
"Ref": "dbInstanceSecretAttachment88CFBDAE"
569685
}
686+
},
687+
{
688+
"Action": "kms:Decrypt",
689+
"Effect": "Allow",
690+
"Resource": {
691+
"Fn::GetAtt": [
692+
"SecretEncryptionKey40C82244",
693+
"Arn"
694+
]
695+
}
570696
}
571697
],
572698
"Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/cdk.out

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/databaseproxyintegtestDefaultTestDeployAssert1DC3D9D5.assets.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/manifest.json

+8-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-rds/test/integ.proxy.js.snapshot/tree.json

+143
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)