binxio/cfn-secret-provider

Arn of PrivateKey and DBPassword has extra /

Closed this issue · 1 comments

paul-e-allen commented

The demo-stack.yaml CloudFormation template example outputs:

$ aws cloudformation describe-stacks --stack-name demo
{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-east-1:...:stack/demo/6f1c99c0-2bae-11e9-bb8d-0e23fbf2c85e",
            "StackName": "demo",
            "Description": "Demo Custom CloudFormation Secret Provider",
            "Parameters": [
                {
                    "ParameterKey": "ApiKey",
                    "ParameterValue": ""
                }
            ],
            "CreationTime": "2019-02-08T14:33:00.168Z",
            "LastUpdatedTime": "2019-02-08T14:41:50.150Z",
            "RollbackConfiguration": {
                "RollbackTriggers": []
            },
            "StackStatus": "UPDATE_ROLLBACK_COMPLETE",
            "DisableRollback": false,
            "NotificationARNs": [],
            "Capabilities": [
                "CAPABILITY_NAMED_IAM"
            ],
            "Outputs": [
...
                {
                    "OutputKey": "PrivateKeyArn",
                    "OutputValue": "arn:aws:ssm:us-east-1:225162606092:parameter//demo/demo/private-key",
                    "Description": "ARN of the private key in the Parameter Store"
                },
...
                {
                    "OutputKey": "Arn",
                    "OutputValue": "arn:aws:ssm:us-east-1:225162606092:parameter//demo/demo/PGPASSWORD",
                    "Description": "ARN of the password in the Parameter Store"
                },
...
            ],
            "Tags": [],
            "EnableTerminationProtection": false,
            "DriftInformation": {
                "StackDriftStatus": "NOT_CHECKED"
            }
        }
    ]
}

Both of these SSM parameter store arns output there appear to have an extra "/" in the Arn. I assume this is a bug in the Lambda function(s), since the CloudFormation template isn't doesn't manipulate the Arn or the name.

When you ask SSM to describe the relevant parameters you get this:

$ aws ssm get-parameter --name /demo/demo/private-key
{
    "Parameter": {
        "Name": "/demo/demo/private-key",
        "Type": "SecureString",
        "Value": "AQICAHgBm2QT3JUOxkIKMnuHXtEk3CmrUYfMurx85z60f5vXngHhBMuIU1MjSvx07MJqi7QNAAAH...
VkiMO4D5cCrO/1u6N28XQqPToUPqATVmL47oQb7UeLI2K4Tn9JLnquH2",
        "Version": 1,
        "LastModifiedDate": 1549636390.838,
        "ARN": "arn:aws:ssm:us-east-1:225162606092:parameter/demo/demo/private-key"
    }
}

$ aws ssm get-parameter --name /demo/demo/PGPASSWORD
{
    "Parameter": {
        "Name": "/demo/demo/PGPASSWORD",
        "Type": "SecureString",
        "Value": "AQICAHgBm2QT3JUOxkIKMnuHXtEk3CmrUYfMurx85z60f5vXngFEYAtCUKuCUp9S0R6pNc1HAAA...4k/R6QMZOCq+UcDw=",
        "Version": 2,
        "LastModifiedDate": 1549636945.698,
        "ARN": "arn:aws:ssm:us-east-1:225162606092:parameter/demo/demo/PGPASSWORD"
    }
}
mvanholsteijn commented

You are correct. The ARN uses the pattern r'arn:aws:ssm:(?P<region>[^:]*):(?P<account>[^:]*):parameter/(?P<name>.*). But apparently when the name is a path, AWS removes the first / from the name in the ARN. Fixed in v0.13.3