Description
Describe the feature
Currently, the grantWrite method on a Secret construct grants permission to use the PutSecretValue and UpdateSecret operations, but not UpdateSecretVersionStage. I would prefer if grantWrite granted all three operations.
Use Case
I have a lambda that rotates a secret, and I'm using grantWrite to give the lambda's execution role access to update the secret. The lambda follows the steps that are recommended in the Secrets Manager docs, storing the new value under version stage AWSPENDING, testing it, then calling UpdateSecretVersionStage to make the new version AWSCURRENT. It's counterintuitive and frustrating that I have to add additional permissions after grantWrite if I want a lambda to have permission to do what a rotation lambda is expected to do.
Proposed Solution
Add UpdateSecretVersionStage to the list of actions in grantWrite:
const result = iam.Grant.addToPrincipalOrResource({
grantee,
actions: ['secretsmanager:PutSecretValue', 'secretsmanager:UpdateSecret', 'secretsmanager:UpdateSecretVersionStage'],
resourceArns: [this.arnForPolicies],
resource: this,
});
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
AWS CDK Library version (aws-cdk-lib)
2.186.0
AWS CDK CLI version
2.1001.0
Environment details (OS name and version, etc.)
Amazon Linux 2 x86_64