Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key #28850

Closed
scub opened this issue Jan 24, 2024 · 1 comment · Fixed by #28858
Closed

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key #28850

scub opened this issue Jan 24, 2024 · 1 comment · Fixed by #28858
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@scub
Copy link
Contributor

scub commented Jan 24, 2024
edited
Loading

Describe the bug

When creating a DatabaseProxy if the Secrets Manager Secret that holds the Credentials is encrypted with a KMS key any registered ProxyTarget(s) will fail to connect as they lack access to kms:Decrypt the secret using the encrypted key.

When this occurs the following can be observed in the DatabaseProxy logs but only when debugLogging is set true.

Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"

Expected Behavior

DatabaseProxy is able to use Secrets when they are encrypted with a KMS key.

Current Behavior

DatabaseProxy fails to successfully create

Reproduction Steps

    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      vpc,
      secrets: [kmsEncryptedSecret],
    });

Possible Solution

Submitted for the approval of the midnight society: The tale of #28858

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

20

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response
@scub scub added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Jan 24, 2024
@scub scub changed the title (module name): (short issue description) (rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key Jan 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-rds Related to Amazon Relational Database label Jan 24, 2024
This was referenced Jan 24, 2024
Closed
Merged
@mergify mergify bot closed this as completed in #28858 Jan 25, 2024
mergify bot pushed a commit that referenced this issue Jan 25, 2024
@scub
fix(rds): proxy target is missing KMS permissions (#28858)
c17dbde 
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. 

When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`.

```
Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"
```


Reproduction steps

```
    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });
```

This is my first CDK PR, i've run the following:

```
yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed
```


Closes #28850

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Vandita2020 pushed a commit to Vandita2020/aws-cdk that referenced this issue Jan 30, 2024
@scub @Vandita2020
fix(rds): proxy target is missing KMS permissions (aws#28858)
823e101 
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. 

When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`.

```
Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"
```


Reproduction steps

```
    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });
```

This is my first CDK PR, i've run the following:

```
yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed
```


Closes aws#28850

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
SankyRed pushed a commit that referenced this issue Feb 8, 2024
@scub @SankyRed
fix(rds): proxy target is missing KMS permissions (#28858)
779593e 
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. 

When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`.

```
Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"
```


Reproduction steps

```
    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });
```

This is my first CDK PR, i've run the following:

```
yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed
```


Closes #28850

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-rds Related to Amazon Relational Database @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
1 participant
@scub