feat(secretsmanager): add BatchGetSecretValue permission to Secret.grantRead() #35355
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aws-cdk-automation
requested changes
Aug 28, 2025
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Features must contain a change to a README file.
❌ Features must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WIP
Issue # (if applicable)
Closes #31566.
Reason for this change
The
Secret.grantRead()method was missing thesecretsmanager:BatchGetSecretValuepermission, preventing developers from using the AWS SDK'sBatchGetSecretValueCommandwithout manually configuring additional IAM permissions. This created an inconsistent developer experience where batch operations required extra IAM setup beyond the standard CDK grant methods.Description of changes
Enhanced the
Secret.grantRead()method to includesecretsmanager:BatchGetSecretValuepermission alongside the existingGetSecretValueandDescribeSecretpermissions. This change:'secretsmanager:BatchGetSecretValue'to the actions array in thegrantRead()methodDescribe any new or updated permissions being added
IAM permissions: Added
secretsmanager:BatchGetSecretValuepermission to IAM policies generated bySecret.grantRead()method.Resource access: The new permission uses the same resource scoping as existing permissions (secret ARN with proper wildcards for version stages). No additional resource access patterns are introduced.
Description of how you validated changes
grantReadtest cases to verifysecretsmanager:BatchGetSecretValueis included in generated IAM policies. All tests pass with the enhanced permission set.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license