Skip to content

Commit

Permalink
fix: asset permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@markussiebert
markussiebert committed Jan 23, 2025
1 parent 0c6c0b9 commit 3a2a61b
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
9 changes: 7 additions & 2 deletions src/SopsSync.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ export class SopsSync extends Construct {
role: provider.role,
sopsFileContent: sopsFileContent.toString(),
});
Permissions.assetBucket(sopsAsset, provider.role);
Permissions.assetBucket(this, sopsAsset, provider.role);
Permissions.encryptionKey(props.encryptionKey, provider.role);
Permissions.secret(props.secret, provider.role);
Permissions.parameters(this, props.parameterNames, provider.role);
Expand Down Expand Up @@ -559,10 +559,15 @@ export namespace Permissions {
/**
* Grants the necessary permissions to read the given asset from S3.
*/
export function assetBucket(asset: Asset | undefined, target: IGrantable) {
export function assetBucket(context: Construct, asset: Asset | undefined, target: IGrantable) {
if (asset === undefined) {
return;
}
const qualifier = context.node.tryGetContext('aws:cdk:qualifier') ?? 'hnb659fds';
Key.fromLookup(context, 'AssetBucketKey', {
aliasName: `alias/cdk-bootstrap/${qualifier}`,
}).grantEncrypt(target);

asset.bucket.grantRead(target);
}
}
12 changes: 10 additions & 2 deletions test/secret-asset.integ.ts
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,18 @@
import { App, SecretValue, Stack } from 'aws-cdk-lib';
import { App, DefaultStackSynthesizer, SecretValue, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { SopsSecret, UploadType } from '../src/index';

const app = new App();

const stack = new Stack(app, 'SecretIntegrationAsset');
const stack = new Stack(app, 'SecretIntegrationAsset', {
synthesizer: new DefaultStackSynthesizer({
qualifier: 'integ',
}),
env: {
account: '123456789',
region: 'us-east-1',
}
});

new SopsSecret(stack, 'SopsSecretJSON', {
sopsFilePath: 'test-secrets/json/sopsfile.enc-age.json',
Expand Down

0 comments on commit 3a2a61b

Please sign in to comment.