Skip to content

fix(codebuild): Secret env variable as token from another account fails on Key decryption #14483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 35 commits into from
Jun 9, 2021
Merged

fix(codebuild): Secret env variable as token from another account fails on Key decryption #14483

mergify merged 35 commits into from
Jun 9, 2021

Conversation

@Kruspe
Copy link
Contributor

@Kruspe Kruspe commented May 1, 2021

fixes #14477

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented May 1, 2021

@github-actions github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label May 1, 2021
@Kruspe Kruspe mentioned this pull request May 1, 2021
Closed
Kruspe
Kruspe commented May 1, 2021
View reviewed changes
Kruspe
Kruspe commented May 1, 2021
View reviewed changes
skinny85
skinny85 reviewed May 1, 2021
View reviewed changes
@Kruspe Kruspe force-pushed the master branch 4 times, most recently from 37acdca to fd1e221 Compare May 3, 2021 21:06
@Kruspe
Copy link
Contributor Author

Kruspe commented May 3, 2021

I implemented the fix for the test that shows that different account secrets parsed as tokens are not working at the moment due to missing kms policies.
I also enhanced a different test that shows that we now give policies for the same account that is not needed. Since the secret is still an unresolved token, comparing the two accounts won't work here. Do you have a good suggestions how we could solve this?

Also let me know if we still need to clarify things about the use case. 😄

@Kruspe Kruspe force-pushed the master branch 2 times, most recently from 7749b67 to 56dbd21 Compare May 5, 2021 22:00
@Kruspe
Copy link
Contributor Author

Kruspe commented May 5, 2021
edited
Loading

Okay this is the approach I opted for. It is still missing some tests and more implementation for:

  • Secret.fromSecretNameV2
  • json keys support

The if statement straight up sucks but I was too tired to figure out a better one. Maybe you can give me a hint or I will look at it tomorrow again. 😄

Any concerns or hints from your side @skinny85 ?

skinny85
skinny85 previously requested changes May 6, 2021
View reviewed changes
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the effort @Kruspe! This looks great, just needs a little bit more polish 🙂.

Also, make sure to update the ReadMe of the CodeBuild module to explain that you can pass Secrets directly in the value property!

@mergify mergify bot dismissed skinny85’s stale review May 7, 2021 16:37

Pull request has been modified.

Kruspe
Kruspe commented May 10, 2021
View reviewed changes
skinny85
skinny85 previously requested changes May 19, 2021
View reviewed changes
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting this in 'Request changes' to clear it from my ToDo list, @Kruspe please re-request my review (there's a button in the top-right of the PR window, next to my avatar) when you're ready with the last changes!

@mergify mergify bot dismissed skinny85’s stale review May 21, 2021 12:26

Pull request has been modified.

@Kruspe
Copy link
Contributor Author

Kruspe commented May 21, 2021

Hey @skinny85 sorry for taking a while to get going here again. It was a busy week. Hope I didn't take up to much capacity in your brain.
But now I implemented the ideas we had and removed other implementations we didn't need anymore. Let me know what you think 😃

@Kruspe Kruspe requested a review from skinny85 May 21, 2021 15:50
skinny85
skinny85 previously requested changes May 21, 2021
View reviewed changes
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @Kruspe! A few suggestions before we merge this in.

@mergify mergify bot dismissed skinny85’s stale review May 23, 2021 23:54

Pull request has been modified.

@Kruspe
Copy link
Contributor Author

Kruspe commented May 23, 2021
edited
Loading

Hey @skinny85 I fixed mostly everything you mentioned above. There is one open point which we need to discuss (see the review above).
I added the extra fields for versionId and versionStage as you mentioned and also added an exception when both were provided since the documentation says this is not allowed.

Kruspe and others added 19 commits June 7, 2021 11:19
@Kruspe
Add SecretQualifier to handle secret value
8a10c3a 
When creating a SecretValue for SecretsManager save the values of the
secret seperatly.
Add test cases for SecretValues from an imported Secret
@Kruspe
Refactor complex assertion
82dca33
@Kruspe
Refactor tests
0891d06
@Kruspe
Get SecretValue information from SecretQualifier
51340b1 
Add direct tests for providing a SecretValue via
`SecretValue.secretsManager()`. Remove duplicated code and refactor
type checking for SecretValue
@Kruspe
Remove unnecessary tests and add docs
697ec78
@Kruspe
Remove exception for SecretValue not from SecretsManager
bad8870
@Kruspe
Validate SecretValues are not of type plain text
b6aaa4a 
We have to check this right away since SecretValues might not be passed
as token but rather gets transformed into a string
@Kruspe
Fix formatting
3cd1490
@Kruspe
Remove duplicated assertion and error
957cd46
@Kruspe
Move SecretValue versionStage and versionId check
d3feb24
@Kruspe
Make SecretValue backwards compatible
b65b9cd
@Kruspe
Add account to SecretQualifier
fd1c617 
When creating a new secret or importing it through a stack in another
account we need to pass the account to the SecretValue.
This allows us to check if the account for where the Project lives
is in deed a different one.
@skinny85 @Kruspe
Change the used account in tests from '901234567890' to '012345678912…
5458a4d 
…', which is in .gitallowed.
@skinny85 @Kruspe
Make the Token case work!
c035d18
@Kruspe
Revert changes that are not needed anymore
162df86
@Kruspe
Move comment and remove duplicated test
8aaa2ec
@Kruspe
Add test case for missing resource name
e07d4b0
@Kruspe
Add test for a Secret import via complete ARN from a different account
6e9fb92 
Add test for a secretArn which is provided as a token and fails at this moment due to a missing kms policy
@Kruspe
Remove showcase test
48b9872
@Kruspe Kruspe marked this pull request as ready for review June 7, 2021 22:16
@Kruspe Kruspe requested a review from skinny85 June 9, 2021 06:07
skinny85
skinny85 approved these changes Jun 9, 2021
View reviewed changes
Copy link
Contributor

@skinny85 skinny85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @Kruspe!

packages/@aws-cdk/aws-codebuild/lib/project.ts
// Work around a bug in SecretsManager -
// when the access is cross-environment,
// Secret.secretArn returns a partial ARN!
// So add a "*" at the end, so that the permissions work
Copy link
Contributor

@skinny85 skinny85 Jun 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// So add a "*" at the end, so that the permissions work
// So add a "-??????" at the end, so that the permissions work

@mergify
Copy link
Contributor

mergify bot commented Jun 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Jun 9, 2021

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 9a8bf82
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 91e80d7 into aws:master Jun 9, 2021
@mergify
Copy link
Contributor

mergify bot commented Jun 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

hollanddd pushed a commit to hollanddd/aws-cdk that referenced this pull request Aug 26, 2021
@Kruspe @hollanddd
fix(codebuild): Secret env variable as token from another account fai…
895b8d7 
…ls on Key decryption (aws#14483)

fixes aws#14477


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@skinny85 skinny85 skinny85 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@skinny85 skinny85

Labels

@aws-cdk/aws-codebuild Related to AWS CodeBuild

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(CodeBuild): Add KMS decrypt to policy for secrets imported by name

3 participants

@Kruspe @skinny85 @aws-cdk-automation