added secretsmanager read only #66
Conversation
iam_builder/templates.py
Outdated
| "secretsmanager:ListSecrets", | ||
| ], | ||
| "Effect": "Allow", | ||
| "Resource": f"arn:aws:secretsmanager:::secret:{secret_name}", |
There was a problem hiding this comment.
Expectation is that secret resource will be of the format arn:aws:secretsmanager:<region>:<account>:secret:<name_of_secret>-<hex_code>. As such, a user should be able to supply either the name of a specific secret, in which case we should be granting them access to ``arn:aws:secretsmanager:eu-west-1:㊙️<name_of_secret>-*`, or they should supply a wild_carded secret value which we can grant access to. Currently, this will fail to grant the access required I suspect.
iam_builder/iam_builder.py
Outdated
| @@ -91,6 +92,12 @@ def build_iam_policy(config: dict) -> dict: # noqa: C901 | |||
| iam["Statement"].append(secrets_statement) | |||
| iam["Statement"].extend(iam_lookup["decrypt_statement"]) | |||
|
|
|||
| if "secretsmanager" in config: | |||
| secretsmanager_read_only = get_secretsmanager_read_only_policy( | |||
| config["secretsmanager"]["read_only"] | |||
There was a problem hiding this comment.
This is slightly weird given that we don't have a corresponding write access level. We should have specific error handling for if users try and pass in the same keys they do for S3 (e.g. write_only, read_write that throw errors to the end user that these levels of access have not been implemented in iam_builder.
|
Newly added tests are not actually running - can you modify |
iam_builder/schemas/iam_schema.json
Outdated
| @@ -85,6 +85,19 @@ | |||
| "type": "string" | |||
| } | |||
| }, | |||
| "secretsmanager": { | |||
| "description": "A secret that the iam_role should be able to acces.", | |||
There was a problem hiding this comment.
| "description": "A secret that the iam_role should be able to acces.", | |
| "description": "A secret that the iam_role should be able to access.", |
No description provided.