Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key #28847

Closed
scub opened this issue Jan 24, 2024 · 1 comment
Closed

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key #28847

scub opened this issue Jan 24, 2024 · 1 comment
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@scub
Copy link
Contributor

scub commented Jan 24, 2024
edited
Loading

Describe the bug

When creating a DatabaseProxy if the Secrets Manager Secret that holds the Credentials is encrypted with a KMS key any registered ProxyTarget(s) will fail to connect as they lack access to kms:Decrypt the secret using the encrypted key.

When this occurs the following can be observed in the DatabaseProxy logs but only when debugLogging is set true.

Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"

Expected Behavior

DatabaseProxy is able to use Secrets when they are encrypted with a KMS key.

Current Behavior

DatabaseProxy fails to successfully create

Reproduction Steps

    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      vpc,
      secrets: [kmsEncryptedSecret],
    });

Possible Solution

Submitted for the approval of the midnight society #28848

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

20

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response
@scub scub added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Jan 24, 2024
@scub scub mentioned this issue Jan 24, 2024
Closed
@scub scub changed the title (aws-rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key (rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key Jan 24, 2024
@scub scub closed this as completed Jan 24, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@scub scub mentioned this issue Jan 24, 2024
Closed
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-rds): addProxy can use kms encrypted secrets scub/aws-cdk
1 participant
@scub