Arn of PrivateKey and DBPassword has extra /
Closed this issue · 1 comments
paul-e-allen commented
The demo-stack.yaml CloudFormation template example outputs:
$ aws cloudformation describe-stacks --stack-name demo
{
"Stacks": [
{
"StackId": "arn:aws:cloudformation:us-east-1:...:stack/demo/6f1c99c0-2bae-11e9-bb8d-0e23fbf2c85e",
"StackName": "demo",
"Description": "Demo Custom CloudFormation Secret Provider",
"Parameters": [
{
"ParameterKey": "ApiKey",
"ParameterValue": ""
}
],
"CreationTime": "2019-02-08T14:33:00.168Z",
"LastUpdatedTime": "2019-02-08T14:41:50.150Z",
"RollbackConfiguration": {
"RollbackTriggers": []
},
"StackStatus": "UPDATE_ROLLBACK_COMPLETE",
"DisableRollback": false,
"NotificationARNs": [],
"Capabilities": [
"CAPABILITY_NAMED_IAM"
],
"Outputs": [
...
{
"OutputKey": "PrivateKeyArn",
"OutputValue": "arn:aws:ssm:us-east-1:225162606092:parameter//demo/demo/private-key",
"Description": "ARN of the private key in the Parameter Store"
},
...
{
"OutputKey": "Arn",
"OutputValue": "arn:aws:ssm:us-east-1:225162606092:parameter//demo/demo/PGPASSWORD",
"Description": "ARN of the password in the Parameter Store"
},
...
],
"Tags": [],
"EnableTerminationProtection": false,
"DriftInformation": {
"StackDriftStatus": "NOT_CHECKED"
}
}
]
}
Both of these SSM parameter store arns output there appear to have an extra "/" in the Arn. I assume this is a bug in the Lambda function(s), since the CloudFormation template isn't doesn't manipulate the Arn or the name.
When you ask SSM to describe the relevant parameters you get this:
$ aws ssm get-parameter --name /demo/demo/private-key
{
"Parameter": {
"Name": "/demo/demo/private-key",
"Type": "SecureString",
"Value": "AQICAHgBm2QT3JUOxkIKMnuHXtEk3CmrUYfMurx85z60f5vXngHhBMuIU1MjSvx07MJqi7QNAAAH...
VkiMO4D5cCrO/1u6N28XQqPToUPqATVmL47oQb7UeLI2K4Tn9JLnquH2",
"Version": 1,
"LastModifiedDate": 1549636390.838,
"ARN": "arn:aws:ssm:us-east-1:225162606092:parameter/demo/demo/private-key"
}
}
$ aws ssm get-parameter --name /demo/demo/PGPASSWORD
{
"Parameter": {
"Name": "/demo/demo/PGPASSWORD",
"Type": "SecureString",
"Value": "AQICAHgBm2QT3JUOxkIKMnuHXtEk3CmrUYfMurx85z60f5vXngFEYAtCUKuCUp9S0R6pNc1HAAA...4k/R6QMZOCq+UcDw=",
"Version": 2,
"LastModifiedDate": 1549636945.698,
"ARN": "arn:aws:ssm:us-east-1:225162606092:parameter/demo/demo/PGPASSWORD"
}
}
mvanholsteijn commented
You are correct. The ARN uses the pattern r'arn:aws:ssm:(?P<region>[^:]*):(?P<account>[^:]*):parameter/(?P<name>.*)
. But apparently when the name is a path, AWS removes the first / from the name in the ARN. Fixed in v0.13.3