aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

SecretsManagerRDSMySQLRotationSingleUser application doesn't output role resource in aws serverlessrepo get-application output

Open mahesh-ogale opened this issue 5 years ago • 2 comments

I tried using SecretsManagerRDSMySQLRotationSingleUser application to create a lambda function in the AWS console but it looks like this application tries to create a role SecretsManagerRDSMySQLRotationSingleUserRole internally. My company doesn't allow role creation like this. I would like to use this application (to make use of standard rotation code and bundled pymysql etc) but would like to provide my custom role manually.

I did the following command and it only outputs SecretsManagerRDSMySQLRotationSingleUser resource and not the SecretsManagerRDSMySQLRotationSingleUserRole. Also, I don't see any role param for SecretsManagerRDSMySQLRotationSingleUser resource where I can plug-in my custom role.

aws serverlessrepo get-application --application-id arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser

I will really appreciate any input on this.

mahesh-ogale avatar Oct 04 '19 21:10 mahesh-ogale

Looks like there is already an open question about this https://github.com/awslabs/serverless-application-model/issues/1009

mahesh-ogale avatar Oct 04 '19 21:10 mahesh-ogale

Thank you for creating this issue. I was able to replicate this using this template:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: SAR nested app stack test
Resources:
  NestedApp:
    Type: AWS::Serverless::Application
    Properties:
      Location:
        ApplicationId: arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser
        SemanticVersion: 1.0.116
      Parameters:
        endpoint:
          Fn::Sub: https://secretsmanager.${AWS::Region}.amazonaws.com
        functionName: RDSMySQLSingleUserRotationLambda
        Role:
          Fn::GetAtt:
            - IAMRole
            - Arn
  IAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: '2012-10-17'
      ManagedPolicyArns:
        - Fn::Sub: arn:aws:iam::aws:policy/AdministratorAccess

The SAM template that is published as of today does not have a way to pass in a customer-definable role ARN as you described. I've marked this as an feature enhancement.

rstevens011 avatar Oct 08 '19 21:10 rstevens011

Any update on this like we can pass the Role to the template?

santhosh-vikraman avatar Mar 03 '23 06:03 santhosh-vikraman

Hi mahesh - we have added this as a feature request that we're tracking internally. Since this isn't tied to the GitHub sample, I'm closing the issue here.

jbct avatar Jun 05 '23 18:06 jbct