Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redshift: Connection Type Database Username+Password attempts to use secretsmanager #5823

Open
jkdll opened this issue Oct 21, 2024 · 0 comments
Open

Redshift: Connection Type Database Username+Password attempts to use secretsmanager #5823

jkdll opened this issue Oct 21, 2024 · 0 comments
Labels
bug We can reproduce the issue and confirmed it is a bug. service:redshift

Comments

@jkdll
Copy link

jkdll commented Oct 21, 2024

Problem

We are using the extension with a user-role which has an explicit deny for all secretsmanager actions. When using the "Database user name and password" connection type, the plugin attempts to perform - secretsmanager:TagResource.

Based on the documentation here, this connection option should not use secrets manager, however it seems like some permissions are required; particularly to "tag resource".

Steps to reproduce the issue

  1. Configure with profile
  2. Browse to Region > Redshift > Find Redshift Database
  3. Click "click to connect"
  4. Select "Database user name and password" as connection type
  5. Enter Username
  6. Enter Password
  7. Enter Database Name

Results in error:

2024-10-21 17:50:55.175 [error] Redshift: Error creating secret in AWS Secrets Manager - User: arn:aws:***::************:assumed-role/************/***** is not authorized to perform: secretsmanager:TagResource on resource: *******-********* because no identity-based policy allows the secretsmanager:TagResource action
at constructor.b (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:114:8125)
  	at constructor.callListeners (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:21199)
  	at constructor.emit (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:20908)
  	at constructor.emitEvent (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:6772)
  	at constructor.y (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:2358)
  	at a.runTo (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:129:1766)
  	at c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:129:1978
  	at constructor.<anonymous> (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:2569)
  	at constructor.<anonymous> (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:6827)
  	at constructor.callListeners (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:21303)
  	at constructor.emit (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:20908)
  	at constructor.emitEvent (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:6772)
  	at constructor.y (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:2358)
  	at a.runTo (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:129:1766)
  	at c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:129:1978
  	at constructor.<anonymous> (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:2569)
  	at constructor.<anonymous> (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:6827)
  	at constructor.callListeners (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:21303)
  	at y (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:115:21084)
  	at IncomingMessage.<anonymous> (c:\Users\*****\.vscode\extensions\amazonwebservices.aws-toolkit-vscode-3.29.0\dist\src\extensionNode.js:108:41740)
  	at IncomingMessage.emit (node:events:531:35)
  	at IncomingMessage.emit (node:domain:488:12)
  	at endReadableNT (node:internal/streams/readable:1696:12)
  	at process.processTicksAndRejections (node:internal/process/task_queues:82:21)] {
    code: 'AccessDeniedException',
    '[__type]': 'See error.__type for details.',
    '[Message]': 'See error.Message for details.',
    time: 2024-10-21T15:50:55.173Z,
    requestId: '***************',
    statusCode: 400,
    retryable: false,
    retryDelay: 60.28131615339007
  }
}

Expected behavior

A connection should be created using the database username and password, without using anything on secrets manager.

System details (run AWS: About and/or Amazon Q: About)

  • OS: Windows_NT x64 10.0.22631
  • Visual Studio Code version: 12.4.254.20-electron.0
  • AWS Toolkit version: 3.29.0
  • Amazon Q version: 1.30.0
@jkdll jkdll added the bug We can reproduce the issue and confirmed it is a bug. label Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug We can reproduce the issue and confirmed it is a bug. service:redshift
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkdll @justinmk3