Skip to content

fix(cdk-evals): deny dashboard deploy when auth secret is unavailable#74

Draft
yonib05 wants to merge 1 commit into
strands-agents:mainfrom
yonib05:fix/dashboard-auth-fail-closed
Draft

fix(cdk-evals): deny dashboard deploy when auth secret is unavailable#74
yonib05 wants to merge 1 commit into
strands-agents:mainfrom
yonib05:fix/dashboard-auth-fail-closed

Conversation

@yonib05

@yonib05 yonib05 commented Jun 30, 2026

Copy link
Copy Markdown
Member

The evals dashboard stack reads basic-auth credentials from the strands-evals/dashboard-auth Secrets Manager secret at synth time and injects them into the Lambda@Edge function. When the secret was absent, the stack fell back to fixed placeholder values, so the dashboard could be deployed and served with credentials that are not the ones an operator configured.

Change

  • Require the auth credentials to be present and readable before the Lambda@Edge auth function is built.
  • If the credentials are unavailable, CDK synthesis now fails with guidance to create the secret, instead of deploying the dashboard with placeholder values.
  • Update the README notes to describe the new behavior.

This makes the dashboard deny access by default: it is never deployed without the configured credentials in place.

Testing

  • cd cdk-evals && npx tsc --noEmit lib/dashboard-stack.ts (with project compiler options) passes with no errors.
  • This CDK package has no unit-test harness (the build script is just tsc, and there are no *.test.ts files or test runner dependencies), so no regression test was added.

The dashboard stack injects basic-auth credentials read from the
strands-evals/dashboard-auth Secrets Manager secret into the
Lambda@Edge function at synth time. When the secret was absent it fell
back to fixed placeholder values, so the dashboard could be served with
credentials that are not the configured ones.

Require the secret to be present and readable before the auth function
is built. If the credentials are unavailable, synthesis now fails with
guidance to create the secret, instead of deploying with placeholders.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant