Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secretName from Secret.fromSecretCompleteArn not parsing correctly #28930

Open
murpheysDeveloper opened this issue Jan 30, 2024 · 6 comments
Open

secretName from Secret.fromSecretCompleteArn not parsing correctly #28930

murpheysDeveloper opened this issue Jan 30, 2024 · 6 comments
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@murpheysDeveloper
Copy link

murpheysDeveloper commented Jan 30, 2024
edited

Describe the bug

I have created a secret that didn't specify a secret name. When attempting to utilize that arn in another stack, the arn parse on it includes the secret version from the arn, which doesn't work as an id for a secret when attempting to retrieve from the secret sdk.

Expected Behavior

(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});

console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)

console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

Current Behavior

(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});

console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)

console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

Issues:
Wont work
get_secret_value_response = client.get_secret_value(
SecretId=OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
)

Works
get_secret_value_response = client.get_secret_value(
SecretId=OtherStackSecretToken12345-A4ee0mHKKJlq
)

Reproduction Steps

(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});

console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)

console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR

Possible Solution

If multiple "-" exist in the resource name, parse the last one off as this is a version.

Additional Information/Context

No response

CDK CLI Version

^2.14.0

Framework Version

No response

Node.js Version

latest

OS

linux

Language

TypeScript

Language Version

No response

Other information

No response
@murpheysDeveloper murpheysDeveloper added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 30, 2024
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Jan 30, 2024
@pahud
Copy link
Contributor

pahud commented Jan 31, 2024

How do you reference them cross stacks?

check out my sample below(you don't need to parse the ARN):

export class SecretStack extends DemoStack {
	public readonly secret: secretsmanager.ISecret;
	constructor(scope: Construct, id: string, props: StackProps) {
		super(scope, id, props);

		const mysecret = new secretsmanager.Secret(this, 'OtherStackSecretToken', {
			generateSecretString: {
			  secretStringTemplate: JSON.stringify({}),
			  generateStringKey: 'SAMPLE_TOKEN',
			  passwordLength: 100,
			  excludePunctuation: true,
			},
		});

		this.secret = mysecret;
		new CfnOutput(this, 'SecretArn', { value: mysecret.secretArn });
		new CfnOutput(this, 'SecretName', { value: mysecret.secretName });
	}
}

export interface SecretRefStackProps extends StackProps {
	secret: secretsmanager.ISecret;
}

export class SecretRefStack extends DemoStack {
	constructor(scope: Construct, id: string, props: SecretRefStackProps) {
		super(scope, id, props);

		new CfnOutput(this, 'SecretArn', { value: props.secret.secretArn });
		new CfnOutput(this, 'SecretName', { value: props.secret.secretName });
	}
}

And in app.ts

const secretStack = new SecretStack(app, 'secret-stack', { env });
new SecretRefStack(app, 'secret-ref-stack', {
    env,
    secret: secretStack.secret,
});

$ npx cdk deploy --all

You should see this from the first stack

secret-stack.ExportsOutputRefOtherStackSecretToken3CC5E04778CA7EB3 = arn:aws:secretsmanager:us-east-1:123456789012:secret:OtherStackSecretToken3CC5E0-zTaYWBxf0B3u-MStcvb
secret-stack.SecretArn = arn:aws:secretsmanager:us-east-1:123456789012:secret:OtherStackSecretToken3CC5E0-zTaYWBxf0B3u-MStcvb
secret-stack.SecretName = OtherStackSecretToken3CC5E0-zTaYWBxf0B3u

and this from second stack

secret-ref-stack.SecretArn = arn:aws:secretsmanager:us-east-1:123456789012:secret:OtherStackSecretToken3CC5E0-zTaYWBxf0B3u-MStcvb
secret-ref-stack.SecretName = OtherStackSecretToken3CC5E0-zTaYWBxf0B3u

Both are having correct secretName.

@pahud
Copy link
Contributor

pahud commented Jan 31, 2024
edited

And you are correct.

export class SecretStack extends DemoStack {
	public readonly secretArn: string;
	constructor(scope: Construct, id: string, props: StackProps) {
		super(scope, id, props);

		const mysecret = new secretsmanager.Secret(this, 'OtherStackSecretToken', {
			generateSecretString: {
			  secretStringTemplate: JSON.stringify({}),
			  generateStringKey: 'SAMPLE_TOKEN',
			  passwordLength: 100,
			  excludePunctuation: true,
			},
		});

		this.secretArn = mysecret.secretArn;
		new CfnOutput(this, 'SecretArn', { value: mysecret.secretArn });
		new CfnOutput(this, 'SecretName', { value: mysecret.secretName });
	}
}

export interface SecretRefStackProps extends StackProps {
	secretArn: string;
}

export class SecretRefStack extends DemoStack {
	constructor(scope: Construct, id: string, props: SecretRefStackProps) {
		super(scope, id, props);

		const secret = secretsmanager.Secret.fromSecretCompleteArn(this, 'ImportedSecret', props.secretArn)

		new CfnOutput(this, 'SecretArn', { value: secret.secretArn });
		new CfnOutput(this, 'SecretName', { value: secret.secretName });
	}
}
const secretStack = new SecretStack(app, 'secret-stack', { env });
new SecretRefStack(app, 'secret-ref-stack', {
    env,
    secretArn: secretStack.secretArn,
});

The 2nd stack will return OtherStackSecretToken3CC5E0-zTaYWBxf0B3u-MStcvb as the stack name with the trailing 6 chars which is incorrect.

@pahud
Copy link
Contributor

pahud commented Jan 31, 2024

OK I got it.

This is because the token is unresolved with cross stack reference and looks like there's no workaround for that.

aws-cdk/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts

Lines 972 to 975 in b32f47c

// Can't operate on the token to remove the SecretsManager suffix, so just return the full secret name
if (Token.isUnresolved(resourceName)) {
return resourceName;
}

The solution is using my first provided solution above.

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 31, 2024
@murpheysDeveloper
Copy link
Author

murpheysDeveloper commented Jan 31, 2024
edited

Understood, thank you for the quick triage. The one reason I havent been exporting the full secret is due to circular reference issues encountered intermittently. I'll go ahead and just export the secretName separately though and that should resolve.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 31, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@SamStephens
Copy link
Contributor

@pahud does this mean that fromSecretCompleteArn should have documentation warning about this problem? That the secretName of the imported secret will not be usable for retrieval purposes, and you should use the secretFullArn?

I note that fromSecretNameV2 does warn about similar potential issues.

@pahud
Copy link
Contributor

pahud commented Jun 3, 2024

Yes we'd better improve the doc for that.

@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @SamStephens @murpheysDeveloper