(secretsmanager ): grant_read/grant_write on secret throws KMS key error on role from same account

Giving a preexisting role read/write access to a secret using the grant_read/grant_write method on a secret throws the error: “KMS Key must be provided for cross account access to Secret” Even though both secret and role are from the same AWS account.

Reproduction Steps

Use an existing role and create a new secret Give it read/write access

from aws_cdk import (
    aws_iam as iam,
    aws_secretsmanager as secretsmanager,
    core
)

class Stack(core.Stack):
  role = iam.Role.from_role_arn(self, "role", <existing iam role>)
  
  secret = secretsmanager.Secret(
      scope=self,
      id="secret-id",
      description='secret desc'
  )
  secret.grant_read(role)
  secret.grant_write(role)


app = core.App()
Stack(app, "SecretKMSError")
app.synth()

What did you expect to happen?

I expect the created secret to be created with read and write rights added to the existing role.

What actually happened?

CDK deploy throws an error: KMS Key must be provided for cross account access to Secret Even though both the (pre-existing) and the secret are on the same AWS account

Environment

• CDK CLI Version : 1.111.0
• Framework Version: 1.111.0
• Node.js Version: v12.20.1
• OS : Windows 10
• Language (Version): Python (3.8)

Other

This worked before version 1.111.0

Workaround:

role.add_to_policy(iam.PolicyStatement(effect=iam.Effect.ALLOW, actions=['secretsmanager:PutSecretValue', 'secretsmanager:UpdateSecret', 'secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], resources=[secret._arn_for_policies]))

I think it was introduced by this commit: https://github.com/aws/aws-cdk/commit/ea40cfe1b85ce4aee9c8f871de08d3c3739589d1

This is 🐛 Bug Report