By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restricting access to secret GetValue from Lambda

0

Hello How do I restrict access to a secret from a lambda function's role without adding a secret specific policy to the role? It seems that a Permissions policy on the secret is overridden by a policy on the role. For example, I have the following policy on the secret:

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "Get",
        "Effect" : "Deny",
        "Principal" : "*",
        "Action" : "secretsmanager:GetSecretValue",
        "Resource" : "{secret_arn}",
        "Condition" : {
            "StringNotLike" : {
                "aws:PrincipalArn" : {principal_arns}
            }
        }
    } ]
}

I assumed that this would Deny access to any roles other than those in the StringNotLike list even if the other roles have (for example) SecretsManagerReadWrite permissions attached to them?

Thank you!

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAWS Identity and Access ManagementAWS Secrets ManagerIAM Policies
Language
English
Kathrika
asked 16 days ago468 views
1 Answer
1
Accepted Answer

Hello.

If you set the resource-based policy you created in SecretsManager, you will not be able to obtain secrets except from the ARN set in "Condition".

For example, create Lambda A and Lambda B with the Lambda code below.
Create separate IAM roles for Lambda A and Lambda B and set "SecretsManagerReadWrite" in the IAM policy.
Set the policy you created in Secrets Manager's resource-based policy and register only the ARN of Lambda A's IAM role.
Once configured, when you run Lambda, you can see that Lambda A succeeds in execution, but when you run Lambda B, it fails with an access denied error.

import boto3
from botocore.exceptions import ClientError

def lambda_handler(event, context):
    get_secret()

def get_secret():

    secret_name = "test1"
    region_name = "ap-northeast-1"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        # For a list of exceptions thrown, see
        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
        raise e

    secret = get_secret_value_response['SecretString']
    print(secret)
profile picture
EXPERT
Riku_Kobayashi
answered 16 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 13 days ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 15 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 16 days ago
  • Kathrika
    16 days ago

    Thank you. That works.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content