Aws-cdk: [SecretsManager] Secret.fromSecretArn(): Error: invalid ARN format; no secret name provided (#10309)

Created on 25 Sep 2020  ·  3Comments  ·  Source: aws/aws-cdk

When using Secret.fromSecretArn(scope, id, secretArn) to retrieve an ARN from another stack, and the secretArn variable is an unresolved token (as it has not been created yet) instead of a real / concrete value, the functionality in PR https://github.com/aws/aws-cdk/pull/10309 causes an error of Error: invalid ARN format; no secret name provided

Reproduction Steps

I _think_ this should do it:

const app = new App();
const stackA = new Stack(app, 'stackA')
const stackB = new Stack(app, 'stackB')

const secret1 = new Secret(stackA, 'secret1');

// Boom 💥
const secret2 = Secret.fromSecretArn(stackB, 'secret2', secret1.secretArn);

What did you expect to happen?

Work as it did before Release 1.64.0 (which worked with Tokens just fine).

What actually happened?

/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605
  throw new Error('invalid ARN format; no secret name provided');
        ^
Error: invalid ARN format; no secret name provided
    at parseSecretName (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605:9)
    at new Import (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:282:36)
    at Function.fromSecretAttributes (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:286:12)
    at Function.fromSecretArn (/Users/me/project/cdk/node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:245:19)
    at new APIService (/Users/me/project/cdk/src/services/api.ts:77:44)
    at main (/Users/me/project/cdk/src/index.ts:190:22)

Environment

  • CLI Version : 1.64.0 (build 9510201)
  • Framework Version: 1.64.0
  • Node.js Version: v14.8.0
  • OS : MacOS Catalina
  • Language (Version): TypeScript 3.8.5

Other

I'll follow up in the PR thread too if that's better. https://github.com/aws/aws-cdk/pull/10309#issuecomment-698651664

I'll stare at the offending piece of code tomorrow to see if I can come up with a suggestion.

https://github.com/aws/aws-cdk/blob/a8e8ed37379c5bbaeeb13a773d5438ea5e5b2fec/packages/%40aws-cdk/aws-secretsmanager/lib/secret.ts#L604-L614

This is :bug: Bug Report

@aws-cdaws-secretsmanager bug efforsmall in-progress p1
Source
picture rrrix
👍1

Most helpful comment

Here's a unit test to reproduce the problem.

Works with 1.63.0, breaks with 1.64.0.

import { Secret } from '@aws-cdk/aws-secretsmanager';
import { App, Stack } from '@aws-cdk/core';

describe('Cross-Stack Secrets', () => {
  it('Can import a Secret ARN that is a Token', () => {
    const app = new App();
    const stackA = new Stack(app, 'stackA');
    const stackB = new Stack(app, 'stackB');
    const secret1 = new Secret(stackA, 'secret1');
    const secret2 = Secret.fromSecretArn(stackB, 'secret2', secret1.secretArn);
    expect(secret2.secretArn).toEqual(secret1.secretArn);
  });
});

With 1.63.0

$ cdk --version ; yarn list @aws-cdk/aws-secretsmanager
yarn list v1.22.4
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ @aws-cdk/[email protected]
1.63.0 (build 7a68125)

$ jest --silent test/secret.fromSecretArn.test.ts
 PASS  test/secret.fromSecretArn.test.ts (7.819 s)

Test Suites: 1 passed, 1 total
Tests:       1 passed, 1 total
Snapshots:   0 total
Time:        8.64 s, estimated 9 s
✨  Done in 9.70s.

With 1.64.0

$ cdk --version ; yarn list @aws-cdk/aws-secretsmanager
1.64.0 (build 9510201)
yarn list v1.22.4
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ @aws-cdk/[email protected]
✨  Done in 0.82s.

$ yarn test test/secret.fromSecretArn.test.ts
yarn run v1.22.4

$ jest --silent test/secret.fromSecretArn.test.ts
 FAIL  test/secret.fromSecretArn.test.ts (7.591 s)
  ● Cross-Stack Secrets › Can import a Secret ARN that is a Token

    invalid ARN format; no secret name provided

       8 |     const stackB = new Stack(app, 'stackB');
       9 |     const secret1 = new Secret(stackA, 'secret1');
    > 10 |     const secret2 = Secret.fromSecretArn(stackB, 'secret2', secret1.secretArn);
         |                            ^
      11 |     expect(secret2.secretArn).toEqual(secret1.secretArn);
      12 |   });
      13 | });

      at parseSecretName (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605:9)
      at new Import (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:282:36)
      at Function.fromSecretAttributes (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:286:12)
      at Function.fromSecretArn (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:245:19)
      at Object.<anonymous> (test/secret.fromSecretArn.test.ts:10:28)

Test Suites: 1 failed, 1 total
Tests:       1 failed, 1 total
Snapshots:   0 total
Time:        8.394 s
picture rrrix on 25 Sep 2020
👍2

All 3 comments

+1, since 1.64.0 : 

invalid ARN format; no secret name provided
Subprocess exited with error 1
Cloudrage picture Cloudrage on 25 Sep 2020

Here's a unit test to reproduce the problem.

Works with 1.63.0, breaks with 1.64.0.

import { Secret } from '@aws-cdk/aws-secretsmanager';
import { App, Stack } from '@aws-cdk/core';

describe('Cross-Stack Secrets', () => {
  it('Can import a Secret ARN that is a Token', () => {
    const app = new App();
    const stackA = new Stack(app, 'stackA');
    const stackB = new Stack(app, 'stackB');
    const secret1 = new Secret(stackA, 'secret1');
    const secret2 = Secret.fromSecretArn(stackB, 'secret2', secret1.secretArn);
    expect(secret2.secretArn).toEqual(secret1.secretArn);
  });
});

With 1.63.0

$ cdk --version ; yarn list @aws-cdk/aws-secretsmanager
yarn list v1.22.4
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ @aws-cdk/[email protected]
1.63.0 (build 7a68125)

$ jest --silent test/secret.fromSecretArn.test.ts
 PASS  test/secret.fromSecretArn.test.ts (7.819 s)

Test Suites: 1 passed, 1 total
Tests:       1 passed, 1 total
Snapshots:   0 total
Time:        8.64 s, estimated 9 s
✨  Done in 9.70s.

With 1.64.0

$ cdk --version ; yarn list @aws-cdk/aws-secretsmanager
1.64.0 (build 9510201)
yarn list v1.22.4
warning Filtering by arguments is deprecated. Please use the pattern option instead.
└─ @aws-cdk/[email protected]
✨  Done in 0.82s.

$ yarn test test/secret.fromSecretArn.test.ts
yarn run v1.22.4

$ jest --silent test/secret.fromSecretArn.test.ts
 FAIL  test/secret.fromSecretArn.test.ts (7.591 s)
  ● Cross-Stack Secrets › Can import a Secret ARN that is a Token

    invalid ARN format; no secret name provided

       8 |     const stackB = new Stack(app, 'stackB');
       9 |     const secret1 = new Secret(stackA, 'secret1');
    > 10 |     const secret2 = Secret.fromSecretArn(stackB, 'secret2', secret1.secretArn);
         |                            ^
      11 |     expect(secret2.secretArn).toEqual(secret1.secretArn);
      12 |   });
      13 | });

      at parseSecretName (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:605:9)
      at new Import (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:282:36)
      at Function.fromSecretAttributes (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:286:12)
      at Function.fromSecretArn (node_modules/@aws-cdk/aws-secretsmanager/lib/secret.ts:245:19)
      at Object.<anonymous> (test/secret.fromSecretArn.test.ts:10:28)

Test Suites: 1 failed, 1 total
Tests:       1 failed, 1 total
Snapshots:   0 total
Time:        8.394 s
rrrix picture rrrix on 25 Sep 2020
👍2

Whoops! So sorry for the breakage! Thanks for the bug report, repo steps and example test!

I've posted #10568 to fix the issue.

njlynch picture njlynch on 28 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eladb picture eladb  ·  3Comments
schof picture schof  ·  3Comments
sudoforge picture sudoforge  ·  3Comments
mirazmamun picture mirazmamun  ·  3Comments
vgribok picture vgribok  ·  3Comments