public grantGetSecretValue()

in lib/code-signing/private-key.ts [176:209]

• 33 lines of code
• 2 McCabe index (conditional complexity)

  public grantGetSecretValue(grantee: iam.IPrincipal): void {
    grantee.addToPolicy(new iam.PolicyStatement({
      actions: ['secretsmanager:GetSecretValue'],
      resources: [this.secretArn],
    }));
    if (this.masterKey) {
      // Add a key grant since we're using a CMK
      this.masterKey.addToResourcePolicy(new iam.PolicyStatement({
        actions: ['kms:Decrypt'],
        resources: ['*'],
        principals: [grantee.grantPrincipal],
        conditions: {
          StringEquals: {
            'kms:ViaService': `secretsmanager.${Stack.of(this).region}.amazonaws.com`,
          },
          ArnLike: {
            'kms:EncryptionContext:SecretARN': this.secretArnLike,
          },
        },
      }));
      grantee.addToPolicy(new iam.PolicyStatement({
        actions: ['kms:Decrypt'],
        resources: [this.masterKey.keyArn],
        conditions: {
          StringEquals: {
            'kms:ViaService': `secretsmanager.${Stack.of(this).region}.amazonaws.com`,
          },
          ArnEquals: {
            'kms:EncryptionContext:SecretARN': this.secretArn,
          },
        },
      }));
    }
  }