I am trying to create a permission set in cdk that grants GetSecretValue access to a specific secret. I get that secret by its name, using Secret.fromSecretNameV2. I know that when I get it by name, the full arn is not available, and so appending '-??????' to the resource arn when creating the policy works.
However, is there a prettier solution? This looks hacky.
The following is my current solution, which works, but doesn't feel ideal.
import { PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { CfnPermissionSet } from 'aws-cdk-lib/aws-sso';
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
const databaseSecretName = `database-host`;
const databaseSecret = Secret.fromSecretNameV2(
this,
'databaseSecret',
databaseSecretName
);
const policy = new PolicyDocument({
statements: [
new PolicyStatement({
actions: ['secretsmanager:GetSecretValue'],
effect: Effect.ALLOW,
resources: [databaseSecret.secretArn + '-??????'],
sid: 'AllowDatabaseSecretReading',
}),
],
});
new CfnPermissionSet(this, `PermissionSet`, {
description: `blabla`,
inlinePolicy: policy,
instanceArn: prodIamIdentityCenterArn,
managedPolicies: ['arn:aws:iam::aws:policy/ReadOnlyAccess'],
name: this.name,
});
Any tips are appreciated! Thanks!
I tried accessing databaseSecret.secretFullArn, but it's undefined. This is in line with what the documentation says about secrets fetched by name.