Skip to content

Auto grant read secret permissions from a secret arn #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 12, 2023
Merged

Auto grant read secret permissions from a secret arn #183

merged 5 commits into from
Jun 12, 2023

Conversation

thedavl
Copy link
Contributor

@thedavl thedavl commented Jun 2, 2023
edited
Loading

What does this PR do?

If a secret ARN is provided & the construct is passed into addLambdaFunctions, automatically grant read access to the given secret to all the lambdas added.

Motivation

Ease of customer use. So customers don't have to manually grant secret read access anymore

Testing Guidelines

Additional Notes

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog

@thedavl thedavl changed the title auto grant red secret permissions from a secret arn Auto grant read secret permissions from a secret arn Jun 2, 2023
@thedavl thedavl marked this pull request as ready for review June 8, 2023 17:47
@thedavl thedavl requested a review from a team as a code owner June 8, 2023 17:47
astuyve
astuyve reviewed Jun 8, 2023
View reviewed changes
v2/src/datadog.ts
function grantReadLambdasFromSecretArn(construct: Construct, arn: string, lambdaFunctions: lambda.Function[]) {
const secret = Secret.fromSecretPartialArn(construct, "DatadogApiKeySecret", arn);
lambdaFunctions.forEach((functionName) => {
secret.grantRead(functionName);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users deploying these applications may not have permissions to grant read access to keys in SSM or KMS - is there a way we can make this optional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if users don't pass the construct to addLambdaFunctions we won't try to grant anything. We could document this explicitly, only pass in the construct if you want us to try auto-granting secret read permissions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the optional construct param is only used for this feature

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could, but we may need the construct for other work in the near future.

Can we default this to true but allow users to disable this behavior if needed?

It's (occasionally) common to see devops teams own secrets management and have elevated permissions to create or grant read permissions to individual applications, so that individual developer teams can't read arbitrary keys out of secrets storage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotcha, makes sense. I'll add a config param for disabling it!

@thedavl thedavl requested a review from astuyve June 9, 2023 17:36
@thedavl thedavl changed the base branch from main to AR/CDK_PeerDependency June 9, 2023 17:36
@thedavl thedavl changed the base branch from AR/CDK_PeerDependency to main June 9, 2023 17:36
astuyve
astuyve reviewed Jun 12, 2023
View reviewed changes
v1/test/datadog.spec.ts
}
[DD_HANDLER_ENV_VAR]: "hello.handler",
},
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Were these commas added by prettier or eslint? If so, we should get a rule created in the project's lint step to fail if these aren't present.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will do in another PR!

astuyve
astuyve reviewed Jun 12, 2023
View reviewed changes
v2/src/datadog.ts
construct !== undefined &&
baseProps.grantSecretReadAccess
) {
log.debug("Granting read access to the provided Secret ARN for all your lambda functions.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

astuyve
astuyve approved these changes Jun 12, 2023
View reviewed changes
Copy link
Contributor

@astuyve astuyve left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this one David, very nicely done!

@thedavl thedavl merged commit 28675fd into main Jun 12, 2023
@thedavl thedavl deleted the david.lee/auto-grant-read-secret-from-arn branch June 12, 2023 15:57
@lym953 lym953 mentioned this pull request Apr 10, 2025
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astuyve astuyve astuyve approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thedavl @astuyve