Aws-cdk: cfnAccessKey: Getting AccessKeyId and SecretAccessKeyId to output

Created on 8 Aug 2019  路  3Comments  路  Source: aws/aws-cdk

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • [ ] :beetle: bug report
    • [x] :rocket: feature request
    • [ ] :books: construct library gap
    • [ ] :phone: security issue or vulnerability => Please see policy
    • [ ] :question: support request => Please see note at the top of this template.

  • What is the current behavior?
    If the current behavior is a :beetle:bug:beetle:: Please provide the steps to reproduce
    I have a constraint where a word press plugin for attaching static content to AWS Cloudfront requires accesskey and accesskeyID. cfnAccessKey allows me to pull the secret key but not access key id.

  • What is the expected behavior (or behavior of feature suggested)?

    const cfuser = new iam.User(this, "CFPluginUser", {
      userName: "CFPluginUser",
      managedPolicies: [
        { managedPolicyArn: "arn:aws:iam::aws:policy/CloudFrontFullAccess" }
      ]
    });
    const cfpluginak = new iam.CfnAccessKey(this, "CFPluginAccessKey", {
      userName: cfuser.userName,
    });

    new cdk.CfnOutput(this, "AccessKeyId", {
      value: cfpluginak.attrAccessKeyId // <-- This should work
    })

    new cdk.CfnOutput(this, "SecretAccessKeyId", {
      value: cfpluginak.attrSecretAccessKey
    });

  • What is the motivation / use case for changing the behavior or adding this feature?
    The ability to fully automate making users with programmatic access and logging outputs to the local computer. Unless you guys know a better way?

  • Please tell us about your environment:

    • CDK CLI Version: 1.3.0 (build bba9914)
    • Module Version: ???
    • OS: [OSX Mojave ]
    • Language: [TypeScript]

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Example Seen elsewhere but solution no longer works

Maybe a workaround from CloudFormation Docs?
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the AccessKeyId. For example: AKIAIOSFODNN7EXAMPLE.

For more information about using the Ref function, see Ref.

@aws-cdaws-s3 needs-triage
Source
picture NukaCody
👍1

Most helpful comment

As the CloudFormation docs indicate, the access key ID is the intrinsic reference of the resource, so you need to use ref instead of attrAccessKeyId:

new cdk.CfnOutput(this, "AccessKeyId", {
  value: cfpluginak.ref
});
picture eladb on 12 Aug 2019
👍10

All 3 comments

For your specific use-case, if your WordPress is hosted on an EC2 instance in your stack, and your plugin is able to handle it, you can use attach an IAM role to the instance

nmussy picture nmussy on 9 Aug 2019

Unfortunately, W3 Total Cache requires access keys because it does not make assumptions on which compute platform and/or CDN you choose to host your WordPress site. Using a role would have been nice though.

NukaCody picture NukaCody on 12 Aug 2019

As the CloudFormation docs indicate, the access key ID is the intrinsic reference of the resource, so you need to use ref instead of attrAccessKeyId:

new cdk.CfnOutput(this, "AccessKeyId", {
  value: cfpluginak.ref
});
eladb picture eladb on 12 Aug 2019
👍10
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thibaut-singlefile picture thibaut-singlefile  路  27Comments
DrLuke picture DrLuke  路  45Comments
alexdilley picture alexdilley  路  71Comments
rclark picture rclark  路  49Comments
clareliguori picture clareliguori  路  30Comments