AWS Secrets Manager component fails to get secret with fine-grained policy after 1.13.

[rochabr]

In what area(s)?

/area runtime

What version of Dapr?

1.13.0+

Expected Behavior

The AWS Secrets Manager component should work with fine grained authorization policies that allow for reading only a specific secret. This behaviour was present on Dapr 1.12.

Policy example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "<SECRET_ARN>"
        }
    ]
}

Actual Behavior

Starting on Dapr 1.13, the policy above won't work anymore, requiring a "Resource": "*" to function correctly. This removes the fine-grained security control and fails in regression testing.

Steps to Reproduce the Problem

• On Dapr 1.13+
• Create an AWS Secrets manager resouce
• Create a new secret
• Create a policy with the information above, setting the resource to the secret ARN.
• Create a new AWS Secrets Manager component in Dapr
• Try to read the secret
• See error:

FATA[0000] Fatal error from runtime: process component awssecretmanager error: [INIT_COMPONENT_FAILURE]: initialization error occurred for awssecretmanager (secretstores.aws.secretmanager/v1): [INIT_COMPONENT_FAILURE]: initialization error occurred for awssecretmanager (secretstores.aws.secretmanager/v1): error validating access to the aws.secretmanager secret store: AccessDeniedException: User: is not authorized to perform: secretsmanager:GetSecretValue on resource:  because no identity-based policy allows the secretsmanager:GetSecretValue action
	status code: 400, request id:  app_id=go-secret instance=diagrid.local scope=dapr.runtime type=log ver=1.14.1
❌  The daprd process exited with error code: exit status 1

Release Note

RELEASE NOTE:

[elena-kolevska]

This was fixed and backported into the 1.13 and 1.14 release branches. It will be released with the next patch version.
The issue can now be closed.