Skip to content

fix(secretsmanager): add fallback grants for cross-account secrets#35478

Open
puretension wants to merge 5 commits intoaws:mainfrom
puretension:fix/secretsmanager-cross-account-grants-35476
Open

fix(secretsmanager): add fallback grants for cross-account secrets#35478
puretension wants to merge 5 commits intoaws:mainfrom
puretension:fix/secretsmanager-cross-account-grants-35476

Conversation

@puretension
Copy link
Copy Markdown
Contributor

@puretension puretension commented Sep 12, 2025

Issue # (if applicable)

Closes #35476

Reason for this change

When using Secret.fromSecretAttributes for cross-account registry credentials in ECS, the standard grantRead mechanism fails to attach policies to the task execution role, causing authentication failures when pulling container images.

Description of changes

Added fallback logic in Secret.grantRead() and Secret.grantWrite() methods:
• When autoCreatePolicy is false and no principal statement is created, use Grant.addToPrincipal() as fallback
• Ensures cross-account secrets can grant permissions to ECS task execution roles
• Maintains backward compatibility - only activates for imported secrets when standard grants fail

Describe any new or updated permissions being added

No new permissions added. The fallback uses the same IAM actions as the standard grant:
Read: secretsmanager:GetSecretValue, secretsmanager:DescribeSecret
Write: secretsmanager:PutSecretValue, secretsmanager:UpdateSecret,
secretsmanager:UpdateSecretVersionStage

Description of how you validated changes

Unit Tests:
• Added cross-account-grants.test.ts with tests for grantRead() and grantWrite()
• Tests verify managed policy creation for cross-account scenarios
• All tests pass: yarn jest --testPathPattern aws-secretsmanager/test/cross-account-grants.test.ts

Verification:
• Fallback triggers when autoCreatePolicy is false and !result.principalStatement
• Generated CloudFormation includes correct AWS::IAM::Policy resources
• Cross-account secrets now properly grant permissions to ECS task execution roles

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@puretension
fix(secretsmanager): add fallback grants for cross-account secrets
2502b97 
Signed-off-by: puretension <rlrlfhtm5@gmail.com>
@puretension
fix(secretsmanager): simplify permission grant logic for cross-accoun…
65e03d2 
…t secrets

Signed-off-by: puretension <rlrlfhtm5@gmail.com>
@puretension
test(secretsmanager): add tests for fallback grants in cross-account …
18fe90e 
…secrets

Signed-off-by: puretension <rlrlfhtm5@gmail.com>
@aws-cdk-automation aws-cdk-automation requested a review from a team September 12, 2025 20:12
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2 labels Sep 12, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Sep 12, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@puretension
test(secretsmanager): add integration tests for cross-account secret …
75e4dfa 
…grants

Signed-off-by: puretension <rlrlfhtm5@gmail.com>
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 12, 2025 20:24

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@pahud pahud mentioned this pull request Sep 13, 2025
Open
1 task
@puretension
Copy link
Copy Markdown
Contributor Author

puretension commented Sep 18, 2025
edited
Loading

Hi team — just a gentle follow-up on this PR (#35478).
It’s up to date and passing all checks, and I’ve included motivation, tests, and the linked issue(#35476) for context.
As an active CDK user, I’m eager to get this fix in since it unblocks a real cross-account workflow.
Please let me know if there’s anything else I can provide or adjust to help move it forward.
Thanks so much!

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Sep 30, 2025
@github-actions github-actions bot mentioned this pull request Oct 1, 2025
Open
@gshpychka
Copy link
Copy Markdown
Contributor

gshpychka commented Mar 18, 2026
edited
Loading

Hi team — just a gentle follow-up on this PR (#35478). It’s up to date and passing all checks, and I’ve included motivation, tests, and the linked issue(#35476) for context. As an active CDK user, I’m eager to get this fix in since it unblocks a real cross-account workflow. Please let me know if there’s anything else I can provide or adjust to help move it forward. Thanks so much!

From my analysis, this PR does nothing (i.e. the resulting template is the same as before). See my comment on the issue: #35476 (comment)

@pahud pahud mentioned this pull request Mar 18, 2026
Open
@gjurova gjurova assigned ozelalisen and unassigned ozelalisen Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(ecs): registry credential grants are not enough

4 participants

@puretension @gshpychka @aws-cdk-automation @ozelalisen