AWS CDK Secrets Manger 获取完整的 arn (python)

发布于 2025-01-10 20:43:09 字数 775 浏览 0 评论 0原文

我正在尝试创建一个使用需要秘密的脚本的金丝雀资源。我正在尝试向金丝雀角色添加政策声明（我将其作为 cdk 的一部分创建）。为此，我需要获取完整的秘密 arn，我可以获取部分 arn，

secret_from_name = secretsmanager.Secret.from_secret_name_v2

然后像使用它一样，

resources = [secret_from_name.secret_arn]

但这不会给我完整的 arn，并且权限不起作用。

.....because no identity-based policy allows the secretsmanager:GetSecretValue action

我以为我可以通过这样做来解决这个问题

resources = [secret_from_name.secret_full_arn]

，但是因为这是通过名称派生的，所以它没有获得完整的 arn，并且您得到“未定义”

我也尝试使用部分 arn 从属性中获取它，也没有什么乐趣。

那么有什么办法可以解决这个问题吗？因为我不想做的就是传递完整的 arn 或者还有其他方法可以授予对此重新启动的访问权限吗？

原文

I am trying to create a canary resource that uses a script that needs a secret.
I'm trying to add a policy statement to the canary role (which I'm creating as part of the cdk).
To do this I need to get the secrets full arn, I can get the partial arn with

secret_from_name = secretsmanager.Secret.from_secret_name_v2

then use it like

resources = [secret_from_name.secret_arn]

but that doesn't give me the full arn and the permissions don't work.

.....because no identity-based policy allows the secretsmanager:GetSecretValue action

Thought I would get around this by doing

resources = [secret_from_name.secret_full_arn]

But because this is derived by name, it doesn't get the full arn and you get 'undefined'

I also tried getting it from attribute using the partial arn, no joy there either.

So is there any way around this? As what I don't want to do is pass around full arn's
or is there another way I can grant access to this reousece?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

花开雨落又逢春i 2025-01-17 20:43:09

秘密 ARN 末尾有一个破折号和 6 个随机字符。使用 -?????? 通配符后缀授予您的角色对所有版本的秘密名称的访问权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-??????"
      ]
    }
  ]
}

在 CDK 上下文中，您可以简单地使用字符串串联从密钥名称组装策略语句的资源 ARN。或者使用 CDK ARN 实用程序 (Arn.format< /a> 或 Stack.format_arn）。

Secret ARNs have a dash and 6 random characters at the end. Define the IAM policy statement's resource with a -?????? wildcard suffix to grant your role access to all versions of the secret name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-??????"
      ]
    }
  ]
}

In a CDK context you can simply use string concatenation to assemble the policy statement's resource ARN from the secret's name. Or use a CDK ARN utility (Arn.format or Stack.format_arn).

回复收藏 0 原文

~没有更多了~