Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-redshift-alpha: User DatabaseSecret created without masterarn in Secret Text causing multi-user secret rotation to fail #28852

Open
penniman26 opened this issue Jan 24, 2024 · 1 comment · May be fixed by #28856
Open

aws-redshift-alpha: User DatabaseSecret created without masterarn in Secret Text causing multi-user secret rotation to fail #28852

penniman26 opened this issue Jan 24, 2024 · 1 comment · May be fixed by #28856
Labels
@aws-cdk/aws-redshift Related to Amazon Redshift bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@penniman26
Copy link

Describe the bug

Multi-User Secret Rotation on Redshift User Secret does not work without a masterarn field present in Redshift User Secret serialized JSON text.

The User Construct does not plumb in the Cluster's secret (i.e. the master secret) to the DatabaseSecret in the User constructor.

A similar change was applied to RDS's DatabaseSecret and Cluster to enable Multi-User Secret Rotation

Expected Behavior

After enabling Multi-User Secret Rotation:

        cluster.addRotationMultiUser(`${id}CredentialsRotation`, {
            secret: redshiftUser.secret,
            automaticallyAfter: secureProps.rotationPeriod,
        });

The Redshift User Secret has a masterarn so that Multi-User Secret Rotation works

Current Behavior

The Secret Rotation Lambda fails with

2024-01-10T00:23:45.982-08:00
[ERROR] KeyError: 'masterarn'
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 81, in lambda_handler
    set_secret(service_client, arn, token)
  File "/var/task/lambda_function.py", line 188, in set_secret
    admin_arn = current_dict['masterarn']

Reproduction Steps

      const cluster = // cluster props

       const user = return new User(this, 'User', {
            cluster: cluster,
            databaseName: databaseName,
            username: username,
            adminUser: cluster.secret,
        });

        cluster.addRotationMultiUser(`CredentialsRotation`, {
            secret: user.secret
        });

Possible Solution

Additional Information/Context

No response

CDK CLI Version

2.70.0

Framework Version

No response

Node.js Version

18

OS

AL2

Language

TypeScript

Language Version

No response

Other information

No response
@penniman26 penniman26 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 24, 2024
@github-actions github-actions bot added the @aws-cdk/aws-redshift Related to Amazon Redshift label Jan 24, 2024
@penniman26 penniman26 mentioned this issue Jan 24, 2024
Merged
penniman26 pushed a commit to penniman26/aws-cdk that referenced this issue Jan 25, 2024
fix(redshift): Fix Redshift User Secret Multi-User Rotation
313b606 
Fixes Redshift User Secret Multi-User Rotation for new Users
by including `masterarn` in the Secret's Serialized JSON Object Text.

Note: This doesn't affect existing users (nor fixes roation for them)
since the secret string template is only used when the secret is
first created. For those existing secrets, the secret text will need
to be updated to include `masterarn` using the GetSecretValue and
UpdateSecret SecretManager APIs.

closes aws#28852

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@penniman26 penniman26 mentioned this issue Jan 25, 2024
Closed
penniman26 pushed a commit to penniman26/aws-cdk that referenced this issue Jan 25, 2024
fix(redshift): Fix Redshift User Secret Multi-User Rotation
a88c489 
Fixes Redshift User Secret Multi-User Rotation for new Users
by including `masterarn` in the Secret's Serialized JSON Object Text.

Note: This doesn't affect existing users (nor fixes roation for them)
since the secret string template is only used when the secret is
first created. For those existing secrets, the secret text will need
to be updated to include `masterarn` using the GetSecretValue and
UpdateSecret SecretManager APIs.

closes aws#28852

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
penniman26 pushed a commit to penniman26/aws-cdk that referenced this issue Jan 25, 2024
fix(redshift): Fix Redshift User Secret Multi-User Rotation
2a3a8b4 
Fixes Redshift User Secret Multi-User Rotation for new Users
by including `masterarn` in the Secret's Serialized JSON Object Text.

Note: This doesn't affect existing users (nor fixes roation for them)
since the secret string template is only used when the secret is
first created. For those existing secrets, the secret text will need
to be updated to include `masterarn` using the GetSecretValue and
UpdateSecret SecretManager APIs.

closes aws#28852

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@penniman26 penniman26 mentioned this issue Jan 25, 2024
Closed
penniman26 pushed a commit to penniman26/aws-cdk that referenced this issue Jan 25, 2024
fix(redshift): Fix Redshift User Secret Multi-User Rotation
4ac9db6 
Fixes Redshift User Secret Multi-User Rotation for new Users
by including `masterarn` in the Secret's Serialized JSON Object Text.

Note: This doesn't affect existing users (nor fixes roation for them)
since the secret string template is only used when the secret is
first created. For those existing secrets, the secret text will need
to be updated to include `masterarn` using the GetSecretValue and
UpdateSecret SecretManager APIs.

closes aws#28852

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@penniman26 penniman26 linked a pull request Jan 25, 2024 that will close this issue
Open
@pahud
Copy link
Contributor

pahud commented Jan 29, 2024

Thank you and we appreciate your PR.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 29, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-redshift Related to Amazon Redshift bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
2 participants
@pahud @penniman26