aws-secrets-manager-rotation-lambdas icon indicating copy to clipboard operation
aws-secrets-manager-rotation-lambdas copied to clipboard
verified publisher icon aws-samples

Output function role ARN

Open maclennann opened this issue 5 years ago • 1 comments

It would be great if the Cloudformation templates for these functions would output the ARN of the role that was created for inclusion in resource policies on the secrets.

Right now the best option I've found is to check userid ~= "*:[rotator function name]" as in

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "secretsmanager:UpdateSecretVersionStage",
        "secretsmanager:PutSecretValue",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:userid": [
            "AROASECRETADMINROLE:*",
            "*:name-of-rotator-function"
          ]
        }
      }
    }
  ]
}

Which, for all the protection that provides I just might as well not have a secret policy.

maclennann avatar Jun 12 '20 13:06 maclennann

Thank you for your feedback. We have noted this as a feature request.

joebaro avatar May 05 '21 22:05 joebaro