diff --git a/src/SopsSync.ts b/src/SopsSync.ts index fcffb5aa..56556eb5 100644 --- a/src/SopsSync.ts +++ b/src/SopsSync.ts @@ -352,7 +352,7 @@ export class SopsSync extends Construct { role: provider.role, sopsFileContent: sopsFileContent.toString(), }); - Permissions.assetBucket(sopsAsset, provider.role); + Permissions.assetBucket(this, sopsAsset, provider.role); Permissions.encryptionKey(props.encryptionKey, provider.role); Permissions.secret(props.secret, provider.role); Permissions.parameters(this, props.parameterNames, provider.role); @@ -559,10 +559,15 @@ export namespace Permissions { /** * Grants the necessary permissions to read the given asset from S3. */ - export function assetBucket(asset: Asset | undefined, target: IGrantable) { + export function assetBucket(context: Construct, asset: Asset | undefined, target: IGrantable) { if (asset === undefined) { return; } + const qualifier = context.node.tryGetContext('aws:cdk:qualifier') ?? 'hnb659fds'; + Key.fromLookup(context, 'AssetBucketKey', { + aliasName: `alias/cdk-bootstrap/${qualifier}`, + }).grantEncrypt(target); + asset.bucket.grantRead(target); } } diff --git a/test/secret-asset.integ.ts b/test/secret-asset.integ.ts index bdfa441b..3ee1e21c 100644 --- a/test/secret-asset.integ.ts +++ b/test/secret-asset.integ.ts @@ -1,10 +1,18 @@ -import { App, SecretValue, Stack } from 'aws-cdk-lib'; +import { App, DefaultStackSynthesizer, SecretValue, Stack } from 'aws-cdk-lib'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { SopsSecret, UploadType } from '../src/index'; const app = new App(); -const stack = new Stack(app, 'SecretIntegrationAsset'); +const stack = new Stack(app, 'SecretIntegrationAsset', { + synthesizer: new DefaultStackSynthesizer({ + qualifier: 'integ', + }), + env: { + account: '123456789', + region: 'us-east-1', + } +}); new SopsSecret(stack, 'SopsSecretJSON', { sopsFilePath: 'test-secrets/json/sopsfile.enc-age.json',