feat(secretsmanager): Allow cross account grant

packages/@aws-cdk/aws-secretsmanager/README.md

@@ -71,6 +71,15 @@ then `Secret.grantRead` and `Secret.grantWrite` will also grant the role the
 relevant encrypt and decrypt permissions to the KMS key through the
 SecretsManager service principal.
 
+The principal is automatically added to Secret resource policy and KMS Key policy for cross account access:
+
+```ts
+const otherAccount = new iam.AccountPrincipal('1234');
+const key = new kms.Key(stack, 'KMS');
+const secret = new secretsmanager.Secret(stack, 'Secret', { encryptionKey: key });
+secret.grantRead(otherAccount);
+```
+
 ## Rotating a Secret
 
 ### Using a Custom Lambda Function

packages/@aws-cdk/aws-secretsmanager/lib/secret.ts

@@ -207,14 +207,16 @@ abstract class SecretBase extends Resource implements ISecret {
   public grantRead(grantee: iam.IGrantable, versionStages?: string[]): iam.Grant {
     // @see https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html
 
-    const result = iam.Grant.addToPrincipal({
+    const result = iam.Grant.addToPrincipalOrResource({
       grantee,
       actions: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'],
       resourceArns: [this.arnForPolicies],
-      scope: this,
+      resource: this,
     });
-    if (versionStages != null && result.principalStatement) {
-      result.principalStatement.addCondition('ForAnyValue:StringEquals', {
+
+    const statement = result.principalStatement || result.resourceStatement;
+    if (versionStages != null && statement) {
+      statement.addCondition('ForAnyValue:StringEquals', {
         'secretsmanager:VersionStage': versionStages,
       });
     }
@@ -226,16 +228,21 @@ abstract class SecretBase extends Resource implements ISecret {
       );
     }
 
+    // Throw if secret is not imported and it's shared cross account and no KMS key is provided
+    if (this instanceof Secret && result.resourceStatement && !this.encryptionKey) {
+      throw new Error('KMS Key must be provided for cross account access to Secret');
+    }
+
     return result;
   }
 
   public grantWrite(grantee: iam.IGrantable): iam.Grant {
     // See https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html
-    const result = iam.Grant.addToPrincipal({
+    const result = iam.Grant.addToPrincipalOrResource({
       grantee,
       actions: ['secretsmanager:PutSecretValue', 'secretsmanager:UpdateSecret'],
       resourceArns: [this.arnForPolicies],
-      scope: this,
+      resource: this,
     });
 
     if (this.encryptionKey) {
@@ -245,6 +252,11 @@ abstract class SecretBase extends Resource implements ISecret {
       );
     }
 
+    // Throw if secret is not imported and it's shared cross account and no KMS key is provided
+    if (this instanceof Secret && result.resourceStatement && !this.encryptionKey) {
+      throw new Error('KMS Key must be provided for cross account access to Secret');
+    }
+
     return result;
   }
 

packages/@aws-cdk/aws-secretsmanager/test/secret.test.ts

@@ -242,6 +242,106 @@ test('grantRead', () => {
   });
 });
 
+test('grantRead cross account', () => {
+  // GIVEN
+  const key = new kms.Key(stack, 'KMS');
+  const secret = new secretsmanager.Secret(stack, 'Secret', { encryptionKey: key });
+  const principal = new iam.AccountPrincipal('1234');
+
+  // WHEN
+  secret.grantRead(principal, ['FOO', 'bar']).assertSuccess();
+
+  // THEN
+  expect(stack).toHaveResource('AWS::SecretsManager::ResourcePolicy', {
+    ResourcePolicy: {
+      Statement: [
+        {
+          Action: [
+            'secretsmanager:GetSecretValue',
+            'secretsmanager:DescribeSecret',
+          ],
+          Effect: 'Allow',
+          Condition: {
+            'ForAnyValue:StringEquals': {
+              'secretsmanager:VersionStage': [
+                'FOO',
+                'bar',
+              ],
+            },
+          },
+          Principal: {
+            AWS: {
+              'Fn::Join': [
+                '',
+                [
+                  'arn:',
+                  {
+                    Ref: 'AWS::Partition',
+                  },
+                  ':iam::1234:root',
+                ],
+              ],
+            },
+          },
+          Resource: {
+            Ref: 'SecretA720EF05',
+          },
+        },
+      ],
+      Version: '2012-10-17',
+    },
+    SecretId: {
+      Ref: 'SecretA720EF05',
+    },
+  });
+
+  expect(stack).toHaveResourceLike('AWS::KMS::Key', {
+    KeyPolicy: {
+      Statement: [
+        {},
+        {},
+        {},
+        {
+          Action: 'kms:Decrypt',
+          Condition: {
+            StringEquals: {
+              'kms:ViaService': {
+                'Fn::Join': [
+                  '',
+                  [
+                    'secretsmanager.',
+                    {
+                      Ref: 'AWS::Region',
+                    },
+                    '.amazonaws.com',
+                  ],
+                ],
+              },
+            },
+          },
+          Effect: 'Allow',
+          Principal: {
+            AWS: {
+              'Fn::Join': [
+                '',
+                [
+                  'arn:',
+                  {
+                    Ref: 'AWS::Partition',
+                  },
+                  ':iam::1234:root',
+                ],
+              ],
+            },
+          },
+          Resource: '*',
+        },
+      ],
+      Version: '2012-10-17',
+    },
+  });
+});
+
 test('grantRead with version label constraint', () => {
   // GIVEN
   const key = new kms.Key(stack, 'KMS');