Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AWS::SecretsManager::Secret] - [BUG] - Unintended password update on SecretStringTemplate update #2210

Open
yvele opened this issue Dec 10, 2024 · 0 comments
Open

[AWS::SecretsManager::Secret] - [BUG] - Unintended password update on SecretStringTemplate update #2210

yvele opened this issue Dec 10, 2024 · 0 comments
Labels
bug

Comments

@yvele
Copy link

yvele commented Dec 10, 2024
edited
Loading

Name of the resource

AWS::SecretsManager::Secret

Resource Name

No response

Issue Description

When updating an AWS Secrets Manager secret with a change to the SecretStringTemplate property, the password (secret string value) is unexpectedly regenerated. This behavior seems unintended because the change is unrelated to the existing password (secret string) generation parameters.

Expected Behavior

The password (secret string) should only be regenerated when parameters directly tied to secret generation are modified. E.g.; ExcludeCharacters, IncludeSpace, PasswordLength, GenerateStringKey, etc.

Updates to SecretStringTemplate that do not affect the generation logic should leave the existing password (secret string) unchanged.

Observed Behavior

A new password (secret string) is generated even when making an unrelated update to SecretStringTemplate, such as adding a new JSON key-value pair, without modifying any password (secret string) generation parameters.

Test Cases

  1. Create the secret using:
Secret:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: MySecret
    Description: My little secret
    GenerateSecretString:
      PasswordLength: 20
      ExcludeCharacters: '"@/\'
      GenerateStringKey: password
      SecretStringTemplate: !Sub |
        {
          "username" : "yves"
        }
  1. Now add a new property to the secret, without touching the password:
Secret:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: MySecret
    Description: My little secret
    GenerateSecretString:
      PasswordLength: 20
      ExcludeCharacters: '"@/\'
      GenerateStringKey: password
      SecretStringTemplate: !Sub |
        {
          "username" : "yves",
+         "meta" : "data"
        }

A new secret version is created as expected, but a new password value has been generated!

Other Details

My personal use case is to add metadata to an existing secret without altering the password life cycle
@yvele yvele added the bug label Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yvele