Bug when using GitHub OAuth Token Secret declared in another Stack.
sam-goodwin opened this issue · 2 comments
I have two stacks, Credentials and Pipeline. My Credentials Stack creates the Secrets so I can re-use them across many pipelines. Pipeline provisions a DelivLib pipeline and references the secrets created in the Credentials Stack.
If I use publishToGithub:
this.pipeline.publishToGitHub({
githubRepo: repo,
signingKey: props.signingKey,
dryRun: true,
});Then I get the following error.
Resource ask-sdk-github-automation-oauth-qQ8x5Z must be in ARN format or "*". (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 61b04b4f-1594-49db-96e0-c5fae15fe356; Proxy: null)
It looks like this code is mapping my ARN to its secretName :
Lines 342 to 353 in e1260dc
Which is then used in aws-codebuild's Project class to create the IAM Policy:
https://github.com/aws/aws-cdk/blob/41b831a6698ee6c7a3c8968bff8273a0c7f35448/packages/%40aws-cdk/aws-codebuild/lib/project.ts#L974-L977
Except this must be an ARN and not the name. Why is the ARN mapped to a name when creating the IAM policy? Am I doing something wrong?
It's hitting this code path (if that helps)
https://github.com/aws/aws-cdk/blob/41b831a6698ee6c7a3c8968bff8273a0c7f35448/packages/%40aws-cdk/aws-codebuild/lib/project.ts#L912-L951
This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon.
Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen.