AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

assumed-role cannot access secret manager

0

Hi,

I have an IAM role - <role_name>, for AWS lambda function. This IAM role has an policy attached to it:

{
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:us-east-2:<account_id>key/<key_id>",
            "Sid": "kms"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-east-2:<account_id>:secret:<secret_name>-<some_randomstuff>",
            "Sid": "secretsmanager"
        }
    ],
    "Version": "2012-10-17"
}

In the lambda function code, i try to get the secret value using python like:

import aws_lambda_powertools
from aws_lambda_powertools.utilities import parameters
json.loads(parameters.get_secret(<secret_name>))

And in the output im getting error:

[ERROR] GetParameterError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<account_id>:assumed-role/<role_name>/<role_name> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret_name> because no identity-based policy allows the secretsmanager:GetSecretValue action

What could be an issue? The role has a policy that allows this role to "GetSecretValue" out of <secret_arn>, but the assumed role IAM identity cannot access it (if to believe the error message, and it is not misleading).

Thanks.

주제
서버리스컴퓨팅보안, 신원 및 규정 준수관리 및 거버넌스
태그
AWS LambdaAWS 자격 증명 및 액세스 관리AWS 명령줄 인터페이스IAM 정책
언어
English
Joann Babak
질문됨 한 달 전184회 조회
2개 답변
0

Ensure your Lambda execution role also has KMS:Decrypt for the Key used to encrypt the secrect

profile picture
전문가
Gary Mclean
답변함 한 달 전
profile pictureAWS
전문가
Didier_Durand
검토됨 한 달 전
  • Joann Babak
    한 달 전

    Good point, added another statement to the allowing policy, but sadly did not helped.

0

Another thing to take into consideration, is the accounts, if this is a cross account situation or not. Anyway, the first thing that I would check is the KMS policy you have attached to the KMS key. It's not enough providing permissions to the principal executing the lambda function. You need also to allow on the KMS key policy the usage by that principal. You can give on the KMS policy permissions to all the principals in one account to use it, or just to specific principals.

Here you have examples: https://docs.aws.amazon.com/dms/latest/userguide/security_iam_resource-based-policy-examples.html

To be more precise for your use case you would need something like this:

{
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/<your-lambda-role>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },

Hope this helps,

Best.

profile pictureAWS
JuanEn_G
답변함 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠