From 4326f245e0d89f6ec250334a74a254fbfb742ee1 Mon Sep 17 00:00:00 2001
From: Adam Ruka <adamruka@amazon.com>
Date: Thu, 2 Jul 2020 02:20:49 -0700
Subject: [PATCH] fix(codebuild): project didn't have permissions to retrieve
 secret of image with credentials (#8845)

For build images that used credentials,
the role of the project wasn't granted permissions to read the secret from SecretsManager,
which meant the build would always fail executing in the 'Provisioning' phase.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../@aws-cdk/aws-codebuild/lib/project.ts     |  3 +++
 .../integ.docker-registry.lit.expected.json   | 25 ++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
index 985177e86d8eb..d4f349431b544 100644
--- a/packages/@aws-cdk/aws-codebuild/lib/project.ts
+++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -940,6 +940,9 @@ export class Project extends ProjectBase {
         this.buildImage.repository.addToResourcePolicy(statement);
       }
     }
+    if (imagePullPrincipalType === ImagePullPrincipalType.SERVICE_ROLE) {
+      this.buildImage.secretsManagerCredentials?.grantRead(this);
+    }
 
     return {
       type: this.buildImage.type,
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
index 9ece692d80671..efaee26898636 100644
--- a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
+++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
@@ -22,6 +22,29 @@
       "Properties": {
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:secretsmanager:",
+                    {
+                      "Ref": "AWS::Region"
+                    },
+                    ":",
+                    {
+                      "Ref": "AWS::AccountId"
+                    },
+                    ":secret:my-secrets-123456"
+                  ]
+                ]
+              }
+            },
             {
               "Action": [
                 "logs:CreateLogGroup",
@@ -135,4 +158,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}