Add configurable role access to credential flow secrets

app.py

@@ -104,6 +104,8 @@
         oidc_thumbprint,
     )
 
+
+
 # Programmatic Clients
 stack.add_programmatic_client("veda-sdk")
 

config.py

@@ -1,5 +1,5 @@
 from getpass import getuser
-from typing import Optional
+from typing import Optional, Sequence
 
 import pydantic
 
@@ -39,3 +39,8 @@ class Config(pydantic.BaseSettings):
         None,
         description="Thumbprint of OIDC provider to use for CI workers.",
     )
+
+    secret_role_access: Sequence[str] = pydantic.Field(
+        [],
+        description="Optional list of role ARNs with access to credential flow secrets"
+    )

infra/stack.py

@@ -186,6 +186,7 @@ def _create_secret(
         self,
         service_id: str,
         secret_dict: Dict[Any, Any],
+        secret_role_access: Sequence[str] = []  # list of roles with access to get secret value
     ):
         """
         Create a secret to represent service credentials.
@@ -203,6 +204,10 @@ def _create_secret(
             # CloudFormation template.
             secret_string_value=SecretValue.unsafe_plain_text(json.dumps(secret_dict)),
         )
+
+        for role_arn in secret_role_access:
+            role = iam.Role.from_role_arn(self, f"ImportedRole{role_arn.split(':')[-1]}", role_arn)
+            secret.grant_read(role)
 
         CfnOutput(
             self,
@@ -296,6 +301,7 @@ def add_programmatic_client(
         self,
         service_id: str,
         name: Optional[str] = None,
+        secret_role_access: Optional[str] = []  # Optional role arns with access to auth flow secret
     ) -> cognito.UserPoolClient:
 
         client = self.userpool.add_client(
@@ -313,6 +319,7 @@ def add_programmatic_client(
                 "cognito_domain": self.domain.base_url(),
                 "client_id": client.user_pool_client_id,
             },
+            secret_role_access,
         )
 
         return client