Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
aws-secretsmanager: Malformed IAM Policy Resource for CodeBuildAction referencing secret name
See original GitHub issueIn the Python app below a Secret is created and then referenced in the environment configuration for a CodeBuildAction. Trying to deploy this results in a MalformedPolicyDocument error. Sure enough, this is output in cdk.out/Build.template.json in the resource BuildProjectRoleDefaultPolicy:
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "${Token[Fn"
}
It appears something went wrong in referencing the secret name. When i switch to the secret ARN instead, though, it works fine. According to the documentation, either the secret name or ARN should work.
Reproduction Steps
Run cdk synth for this Python app:
#!/usr/bin/env python3
from aws_cdk import \
aws_codebuild as cb, \
aws_secretsmanager as secrets, \
aws_codepipeline_actions as actions, \
aws_codepipeline as cp, \
core as cdk
class MyPipelineStack(cdk.Stack):
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
pipeline = cp.Pipeline(self, 'MyPipeline')
source_stage = pipeline.add_stage(stage_name='Source')
build_stage = pipeline.add_stage(stage_name='Build')
source_artifact = cp.Artifact(f'SourceArtifact')
source_action = actions.CodeStarConnectionsSourceAction(
action_name='SourceGitHub',
connection_arn='arn:aws:codestar-connections:us-east-1:0000000000:connection/00000000-0000-0000-0000-000000000000',
output=source_artifact,
owner='BrettHoutz',
repo='myrepo',
)
source_stage.add_action(source_action)
access_token_secret = secrets.Secret(self, 'AccessToken')
project = cb.PipelineProject(self, 'BuildProject')
build_action = actions.CodeBuildAction(
action_name='Build',
input=source_artifact,
project=project,
environment_variables={
'ACCESS_TOKEN': {'type': cb.BuildEnvironmentVariableType.SECRETS_MANAGER, 'value': access_token_secret.secret_name},
}
)
build_stage.add_action(build_action)
app = cdk.App()
MyPipelineStack(app, 'Build')
app.synth()
What did you expect to happen?
Synthesize a stack with a valid policy
What actually happened?
Policy has an invalid Resource field
Environment
- CDK CLI Version : 1.116.0
- Framework Version: 1.116.0
- Node.js Version: 10.15.3
- OS : macOS 10.15.7 Catalina
- Language (Version): Python 3.8.2
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The issue here is that you shouldn’t be using .secretValueFromJson in your setup. This will cause CloudFormation to retrieve the value and render it in the configuration, bypassing the benefits of Secrets Manager.
@ggallotti , try something like this instead:
Same problem here
Resource 5GhEKEYIk8^8ICiU-riNs05xW.hSEz must be in ARN format or “*”. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: f9c08434-8af0-4288-bae9-2883b9b47567; Proxy: null)