WIP

api/dependencies/requirements.txt

@@ -1,4 +1,4 @@
-aws-lambda-powertools[tracer,parser]==3.4.1
+aws-lambda-powertools[tracer,parser]==3.5.0
 cryptography==43.0.3
 hpke==0.3.2
 pksuid==1.1.2

api/requirements-dev.txt

@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.4.1
+aws-lambda-powertools[all,aws-sdk]==3.5.0
 boto3-stubs[dynamodb,kms]

canary/dependencies/requirements.txt

@@ -1 +1 @@
-aws-lambda-powertools==3.4.1
+aws-lambda-powertools==3.5.0

canary/requirements-dev.txt

@@ -1,3 +1,3 @@
 black==24.10.0
-aws-lambda-powertools[all,aws-sdk]==3.4.1
+aws-lambda-powertools[all,aws-sdk]==3.5.0
 boto3-stubs[dynamodb,kms]

ci_template.yml

@@ -913,12 +913,6 @@ Resources:
               - Effect: Allow
                 Action: "s3:ListBucket"  # required for Lambda code signing
                 Resource: !GetAtt rArtifactBucket.Arn
-              - Effect: Allow
-                Action: "secretsmanager:GetSecretValue"
-                Resource: !Ref rSigningSecret
-              - Effect: Allow
-                Action: "secretsmanager:PutSecretValue"
-                Resource: !Ref rMeasurementSecret
               - Effect: Allow
                 Action: "signer:StartSigningJob"
                 Resource: !Ref rSigningProfile
@@ -937,6 +931,28 @@ Resources:
         - Key: "dp:exclude:network"
           Value: "true"
 
+  rSecretsManagerPolicy:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: SecretsManager
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action: "secretsmanager:GetSecretValue"
+            Resource: !Ref rSigningSecret
+            Condition:
+              ArnEquals:
+                "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn
+          - Effect: Allow
+            Action: "secretsmanager:PutSecretValue"
+            Resource: !Ref rMeasurementSecret
+            Condition:
+              ArnEquals:
+                "codebuild:projectArn": !GetAtt rVaultCodeBuildProject.Arn
+      Roles:
+        - !Ref rCodeBuildRole
+
   rCloudWatchLogsPolicy:
     Type: "AWS::IAM::Policy"
     Properties:

enclave/Cargo.toml

@@ -20,7 +20,7 @@ cel-interpreter = { version = "=0.9.0", default-features = false, features = ["j
 chrono = { version = "=0.4.39", default-features = false, features = ["now"] }
 data-encoding = { version = "=2.7.0", default-features = false, features = ["alloc"] }
 serde = { version = "=1.0.217", default-features = false, features = ["derive"] }
-serde_json = { version = "=1.0.137", default-features = false }
+serde_json = { version = "=1.0.138", default-features = false }
 rustls = { version = "=0.23.21", default-features = false, features = ["aws_lc_rs"] }
 vsock = { version = "=0.5.1", default-features = false }
 zeroize = { version = "=1.8.1", default-features = false, features = ["zeroize_derive"] }

parent/Cargo.toml

@@ -23,7 +23,7 @@ byteorder = { version = "=1.5.0", default-features = false }
 clap = { version = "=4.5.27", default-features = false, features = ["std", "derive", "env"] }
 fastrand = { version = "=2.3.0", default-features = false }
 serde = { version = "=1.0.217", default-features = false, features = ["derive"] }
-serde_json = { version = "=1.0.137", default-features = false }
+serde_json = { version = "=1.0.138", default-features = false }
 thiserror = { version = "=2.0.11", default-features = false }
 tokio = { version = "=1.43.0", default-features = false, features = ["rt-multi-thread", "process", "tracing"] }
 tracing = { version = "=0.1.41", default-features = false, features = ["log"] }