(core): unable to create JSON secret using secret values #20461
Assignees
Labels
@aws-cdk/core
Related to core CDK functionality
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
good first issue
Related to contributions. See CONTRIBUTING.md
p1
Comments
rix0rrr
added
bug
rix0rrr
added
effort/small
4 tasks
mergify bot
pushed a commit
that referenced
this issue
Jul 13, 2022
A common use case is to create key/value secrets where the values could
be either strings _or_ other secret values. Currently this is possible,
but the user experience is not great. This PR introduces a new input
prop `secretObjectValue` which is of type `{ [key: string]: SecretValue }`.
For example, you can now create a JSON secret:
```ts
new secretsmanager.Secret(stack, 'JSONSecret', {
secretObjectValue: {
username: SecretValue.unsafePlainText(user.userName), // intrinsic reference, not exposed as plaintext
database: SecretValue.unsafePlainText('foo'), // rendered as plain text, but not a secret
password: accessKey.secretAccessKey, // SecretValue
},
});
```
I've also updated the docs to better reflect what `unsafe` means given
this new context.
fixes #20461
----
### All Submissions:
* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)
### Adding new Unconventional Dependencies:
* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)
### New Features
* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
See #20033 (comment)
With the new API, creating Secrets with compound values looks like this:
Which is not a great experience.
Expected Behavior
Can create JSON secret containing another secret.
Current Behavior
Not allowed.
Reproduction Steps
See linked example.
Possible Solution
I've considered making
SecretValuecontain compound values, but the API doesn't quite become satisfying:Is fine as far as it goes, but the problem with this API is it cannot be distinguished from this invocation:
So it would need to be called
unsafeJsonObject, but since when used properly this is the normal course for Secret usage, I don't want to call a methodunsafeif it isn't actuallyunsafe.It also seems that creating compound SecretValues is only used for initializing a
Secret, and isn't used anywhere else. So, I'm thinking a better solution is to make it a feature ofnew sm.Secret:The type of
secretObjectValuewould be{ [x: string]: SecretValue }When writing a unit test for this, be sure to test with the
@aws-cdk/core.preventUnsafePlaintextSecretsflag on, and update the documentation onSecretValue.unsafePlainText()to explain other reasonable use cases for static strings in here.Additional Information/Context
No response
CDK CLI Version
Framework Version
No response
Node.js Version
OS
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: