Using Secrets Manager for GitHub token fails authentication during deploy because it is not resolved

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository’s issues are intended for feature requests and bug reports.

• I’m submitting a …

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior? If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

Current Behavior: When you use a secret you stored in Secrets Manager as the oauthToken, the CloudFormation template that gets generated only has a resolve placeholder for it during cdk deploy: https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-codepipeline-actions/lib/github/source-action.ts#L88

It tries to authenticate with GitHub using that instead of the actual decrypted value (example: “OAuthToken”: “{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:111㊙️my-secret:SecretString:::}}”

Steps to Repro: 1)Create a secret that you can access using the Secrets Manager. Note its arn. 2)Create a source action for pipeline using GitHubSourceAction where you get the oauthToken from the Secrets Manager:

const sourceAction = new codepipeline_actions.GitHubSourceAction({
      actionName: 'GitHub_Source',
      branch: 'your-branch',
      output: new codepipeline.Artifact(),
      owner: 'your-repo-owner',
      repo: 'your-repo-name',
      oauthToken: secretsmanager.Secret.fromSecretArn(this, 'your-token-name', 'your-token-arn').secretValue,
      trigger: codepipeline_actions.GitHubTrigger.WEBHOOK
    });

1. Use this action in your pipeline:

new codepipeline.Pipeline(this, 'your-pipeline-name', {
      stages: [
        {
          stageName: 'Source',
          actions: [
            sourceAction
          ],
        },
        //...
      ]});

1. Build and try to deploy

• What is the expected behavior (or behavior of feature suggested)?

You should handle the case where the token is not entered using plain text (when using plain text, there are no issues because the generated CloudFormation template has the plain text token in there instead of “{{resolve:”)

This is the plain text usage that works:

oauthToken: cdk.SecretValue.plainText('your-plain-text-token')

You could allow us to set registerWithThirdParty to false when instantiating a GitHubSourceAction when the token is a secret that’s not created from plain text. Currently there is no way to set this flag without changing the generated CloudFormation template and then upload that, instead of using cdk deploy directly.

• What is the motivation / use case for changing the behavior or adding this feature? So you can use the CDK for GitHub as your source.

• Please tell us about your environment:

  • CDK CLI Version: 1.2.0
  • OS: macOS Mojave
  • Language: TypeScript

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)