daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Google OAuth: explicit IAM policy + strip OIDC scopes from credentials

Browse Source
This commit is contained in:
daniel
2026-05-08 16:57:40 -05:00
parent d68ddab8a2
commit 9b56aa83df
11 changed files with 288 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cdk/lib/agent-claw-stack.ts
View File

@@ -251,6 +251,12 @@ export class AgentClawStack extends cdk.Stack {
googleOAuthClientSecret.grantRead(oauthHandlerFn);
botTokenSecret.grantRead(oauthHandlerFn);
usersTable.grantReadWriteData(oauthHandlerFn);
// Explicit access to the OAuth client secret (fromSecretNameV2 wildcard may not resolve)
oauthHandlerFn.addToRolePolicy(new iam.PolicyStatement({
sid: 'GoogleOAuthClientSecretExact',
actions: ['secretsmanager:GetSecretValue'],
resources: ['arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl'],
}));
// Grant OAuth handler write access to per-user credential secrets
oauthHandlerFn.addToRolePolicy(new iam.PolicyStatement({
sid: 'PerUserGoogleCredentialsWrite',