aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard
verified publisher icon aws-samples

Name of IAM role not returned from AWS::SecretsManager::RotationSchedule

Open FrederiqueRetsema opened this issue 2 years ago • 1 comments

It is currently very hard to create a resource policy for the master database user secret in a multi user secret rotation template. The name of the IAM role doesn’t contain the name of the Lambda function or the name of the secret that is rotated. The most least-privileged permission that is currently possible without writing a custom resource to get the name of the role is therefore:

AllowUseOfDatabaseMainAdminSecretAtRotationOfWebsiteUserSecret: Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: False SecretId: !Ref DatabaseMainAdminSecret ResourcePolicy: Version: "2012-10-17" Statement: - Effect: "Allow" Action: "secretsmanager:GetSecretValue" Resource: "" Principal: "" Condition: "ArnLike": "aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AWS::StackName}SecretsManager"

It would be nicer to get the name of the IAM role back from AWS::SecretsManager::RotationSchedule, f.e. via GetAtt: [...] Condition: "ArnLike": "aws:PrincipalArn": - !GetAtt WebsiteUserSecretRotationSchedule.LambdaIAMRole - !GetAtt DatabaseMainAdminUserSecretRotationSchedule.LambdaIAMRole

You can use my CloudFormation template Database-MySQLMultiUser.yml in the repository https://github.com/FrederiqueRetsema/Blogs-2023 .

FrederiqueRetsema avatar Jul 05 '23 09:07 FrederiqueRetsema

Thank you for the request, Frederique. We've noted this as an enhancement request.

simonmarty avatar Jul 05 '23 22:07 simonmarty