-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key #28850
Labels
@aws-cdk/aws-rds
Related to Amazon Relational Database
@aws-cdk/aws-secretsmanager
Related to AWS Secrets Manager
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Comments
scub
added
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Jan 24, 2024
github-actions
bot
added
the
@aws-cdk/aws-secretsmanager
Related to AWS Secrets Manager
label
Jan 24, 2024
scub
changed the title
(module name): (short issue description)
(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key
Jan 24, 2024
github-actions
bot
added
the
@aws-cdk/aws-rds
Related to Amazon Relational Database
label
Jan 24, 2024
This was referenced Jan 24, 2024
mergify bot
pushed a commit
that referenced
this issue
Jan 25, 2024
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`. ``` Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05" ``` Reproduction steps ``` const vpc = new Vpc(stack, 'Vpc'); const kmsKey = new Key(stack, 'Key'); const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey}); const cluster = new rds.DatabaseCluster(stack, 'Database', { engine: rds.DatabaseClusterEngine.AURORA, instanceProps: { vpc }, }); new rds.DatabaseProxy(stack, 'Proxy', { proxyTarget: rds.ProxyTarget.fromCluster(cluster), debugLogging: true, vpc, secrets: [kmsEncryptedSecret], }); ``` This is my first CDK PR, i've run the following: ``` yarn install npx lerna run build --scope=aws-cdk-lib cd packages/aws-cdk-lib npx yarn test aws-rds npx yarn lint aws-rds npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts # Running integration tests cd ../../ npx lerna run build --scope=@aws-cdk-testing/framework-integ cd packages/@aws-cdk-testing/framework-integ npx yarn integ test/aws-rds/test/*.js --update-on-failed ``` Closes #28850 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Vandita2020
pushed a commit
to Vandita2020/aws-cdk
that referenced
this issue
Jan 30, 2024
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`. ``` Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05" ``` Reproduction steps ``` const vpc = new Vpc(stack, 'Vpc'); const kmsKey = new Key(stack, 'Key'); const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey}); const cluster = new rds.DatabaseCluster(stack, 'Database', { engine: rds.DatabaseClusterEngine.AURORA, instanceProps: { vpc }, }); new rds.DatabaseProxy(stack, 'Proxy', { proxyTarget: rds.ProxyTarget.fromCluster(cluster), debugLogging: true, vpc, secrets: [kmsEncryptedSecret], }); ``` This is my first CDK PR, i've run the following: ``` yarn install npx lerna run build --scope=aws-cdk-lib cd packages/aws-cdk-lib npx yarn test aws-rds npx yarn lint aws-rds npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts # Running integration tests cd ../../ npx lerna run build --scope=@aws-cdk-testing/framework-integ cd packages/@aws-cdk-testing/framework-integ npx yarn integ test/aws-rds/test/*.js --update-on-failed ``` Closes aws#28850 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
SankyRed
pushed a commit
that referenced
this issue
Feb 8, 2024
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`. ``` Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05" ``` Reproduction steps ``` const vpc = new Vpc(stack, 'Vpc'); const kmsKey = new Key(stack, 'Key'); const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey}); const cluster = new rds.DatabaseCluster(stack, 'Database', { engine: rds.DatabaseClusterEngine.AURORA, instanceProps: { vpc }, }); new rds.DatabaseProxy(stack, 'Proxy', { proxyTarget: rds.ProxyTarget.fromCluster(cluster), debugLogging: true, vpc, secrets: [kmsEncryptedSecret], }); ``` This is my first CDK PR, i've run the following: ``` yarn install npx lerna run build --scope=aws-cdk-lib cd packages/aws-cdk-lib npx yarn test aws-rds npx yarn lint aws-rds npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts # Running integration tests cd ../../ npx lerna run build --scope=@aws-cdk-testing/framework-integ cd packages/@aws-cdk-testing/framework-integ npx yarn integ test/aws-rds/test/*.js --update-on-failed ``` Closes #28850 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
@aws-cdk/aws-rds
Related to Amazon Relational Database
@aws-cdk/aws-secretsmanager
Related to AWS Secrets Manager
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Describe the bug
When creating a DatabaseProxy if the Secrets Manager Secret that holds the Credentials is encrypted with a KMS key any registered ProxyTarget(s) will fail to connect as they lack access to
kms:Decrypt
the secret using the encrypted key.When this occurs the following can be observed in the DatabaseProxy logs but only when
debugLogging
is settrue
.Expected Behavior
DatabaseProxy is able to use Secrets when they are encrypted with a KMS key.
Current Behavior
DatabaseProxy fails to successfully create
Reproduction Steps
Possible Solution
Submitted for the approval of the midnight society: The tale of #28858
Additional Information/Context
No response
CDK CLI Version
2.122.0
Framework Version
No response
Node.js Version
20
OS
Mac
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: