fix(docs): add GitHubTokenSecret to SecretsManager resource scope

scottschreckengaust · claude · scottschreckengaust · commit 3adb6e23808d · 2026-04-25T00:56:02.000Z
CDK generates the GitHub token secret with construct ID hash
(GitHubTokenSecret09BC4210-*), not the backgroundagent- prefix.
Add this pattern to the SecretsManager statement Resource list.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/docs/design/DEPLOYMENT_ROLES.md b/docs/design/DEPLOYMENT_ROLES.md
@@ -415,7 +415,10 @@ DynamoDB tables, Lambda functions, API Gateway, Cognito, WAFv2, EventBridge, and
         "secretsmanager:PutResourcePolicy",
         "secretsmanager:DeleteResourcePolicy"
       ],
-      "Resource": "arn:aws:secretsmanager:*:*:secret:backgroundagent-*"
+      "Resource": [
+        "arn:aws:secretsmanager:*:*:secret:backgroundagent-*",
+        "arn:aws:secretsmanager:*:*:secret:GitHubTokenSecret*"
+      ]
     },
     {
       "Sid": "SecretsManagerAccountLevel",
diff --git a/docs/src/content/docs/architecture/Deployment-roles.md b/docs/src/content/docs/architecture/Deployment-roles.md
@@ -419,7 +419,10 @@ DynamoDB tables, Lambda functions, API Gateway, Cognito, WAFv2, EventBridge, and
         "secretsmanager:PutResourcePolicy",
         "secretsmanager:DeleteResourcePolicy"
       ],
-      "Resource": "arn:aws:secretsmanager:*:*:secret:backgroundagent-*"
+      "Resource": [
+        "arn:aws:secretsmanager:*:*:secret:backgroundagent-*",
+        "arn:aws:secretsmanager:*:*:secret:GitHubTokenSecret*"
+      ]
     },
     {
       "Sid": "SecretsManagerAccountLevel",
