in lib/open-pgp-key-pair.ts [166:201]
resourceVersion: hashFileOrDirectory(codeLocation),
identity: props.identity,
email: props.email,
expiry: props.expiry,
keySizeBits: props.keySizeBits,
secretName: props.secretName,
keyArn: props.encryptionKey && props.encryptionKey.keyArn,
version: props.version,
description: props.description,
deleteImmediately: props.removalPolicy === OpenPGPKeyPairRemovalPolicy.DESTROY_IMMEDIATELY,
},
removalPolicy: openPgpKeyPairRemovalPolicyToCoreRemovalPolicy(props.removalPolicy),
});
secret.node.addDependency(fn);
this.credential = secretsManager.Secret.fromSecretAttributes(this, 'Credential', {
encryptionKey: props.encryptionKey,
secretArn: secret.getAtt('SecretArn').toString(),
});
this.principal = new ssm.StringParameter(this, 'Principal', {
description: `The public part of the OpenPGP key in ${this.credential.secretArn}`,
parameterName: props.pubKeyParameterName,
stringValue: secret.getAtt('PublicKey').toString(),
});
}
public grantRead(grantee: iam.IPrincipal): void {
// Secret grant, identity-based only
grantee.addToPolicy(new iam.PolicyStatement({
resources: [this.credential.secretArn],
actions: ['secretsmanager:ListSecrets', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue'],
}));
// Key grant
if (this.credential.encryptionKey) {
grantee.addToPolicy(new iam.PolicyStatement({