Skip to content

feat: grant decrypt permissions for encrypted secrets passed to apiKeySecret #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
samchungy wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: grant decrypt permissions for encrypted secrets passed to apiKeySecret #525

samchungy wants to merge 1 commit into from
+48 −1

Conversation

@samchungy
Copy link
Contributor

@samchungy samchungy commented Jan 16, 2026
edited
Loading

What does this PR do?

Resolves #249

Grants permissions to the Lambda to decrypt the KMS key in order to access a secret.

Motivation

We couldn't figure out why our Lambda could not hit DataDog and discovered it was because of the lacking permission.

Testing Guidelines

Locally + Unit Tests

Additional Notes

Could be a fix, could be a feature. I don't mind really.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog

@samchungy samchungy marked this pull request as ready for review January 16, 2026 04:59
@samchungy samchungy requested a review from a team as a code owner January 16, 2026 04:59
@samchungy samchungy requested a review from nina9753 January 16, 2026 04:59
@samchungy samchungy closed this Jan 16, 2026
@samchungy samchungy reopened this Jan 16, 2026
@samchungy samchungy changed the title feat: grant decrypt permissions for encryption secrets passed to apiKeySecret feat: grant decrypt permissions for encrypted secrets passed to apiKeySecret Jan 16, 2026
samchungy
samchungy commented Jan 16, 2026
View reviewed changes
test/datadog-lambda.spec.ts
const CUSTOM_EXTENSION_LAYER_ARN = "arn:aws:lambda:us-east-1:123456789:layer:Datadog-Extension-custom:1";
const NODE_LAYER_VERSION = 91;
const REPO_REGEX = /git\.repository_url:.*\/DataDog\/datadog-cdk-constructs(\.git)?/;
const REPO_REGEX = /git\.repository_url:.*\/[^/]+\/datadog-cdk-constructs(\.git)?/;
Copy link
Contributor Author

@samchungy samchungy Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing my fork PR to fail. I've changed it so people can fork and still have their tests work? Unless you don't want forks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nina9753 nina9753 nina9753 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Passing ISecret for DD Construct (V2) should allow for passing KMS key

2 participants

@samchungy @nina9753