Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Using AWS Tools for Powershell in a Powershell lambda

0

Hello, I am encountering a huge roadblock performing the most basic AWS tasks within a Powershell Lambda. I have created a role with secretsmanager and basic lambda execute permissions. Created a test secret. Created a one-liner Powershell Lambda with Get-SECSecretValue to retrieve the test key value. No VPC is assigned to the lambda, from what I understand this is not needed for a simple internal service call. The command executes, and then hangs. Both the lambda and secret are in the same region, same account. I have tried to get the lambda to access various other services, all unsuccessfully. To add further datapoints, I created a Python lambda that does the same thing, accessing the same secret. Used the same role and did not select a VPC. This lambda has no issues whatsoever retrieving the key.

Could really use some help here, being able to retrieve a secret is mission critical to this project. Unfortunately I can't convert the scripts to Python (Thanks Microsoft).

I could use another python lambda to retrieve the secrets and pass them to the initiating lambda, but that seems a bit excessive, and I don't even know if I can trigger a lambda from the PS one, since I can't seem to connect to any AWS services.

Themen
ServerlosKalkulation
Tags
AWS LambdaAWS Tools für Windows PowerShell
Sprache
English
DerekBotbyl
gefragt vor 2 Jahren864 Aufrufe
1 Antwort
1

This should be working without any issues, if configured correctly.

You could leverage the AWS Lambda Developer Guide - there is an example of setting up a basic infrastructure for a PowerShell Lambda (the link above points directly to that example).

Following the steps in the guide, you get an AWS Lambda with the .NET Core 3.1 (C#/PowerShell) runtime and some basic CmdLets as an example.

To test your use case, I manually created a simple secret in the AWS Secrets Manager with a secret ID test-secret. I used the DefaultEncryptionKey and no additional options. I placed the secret in the same region where my Lambda function resides (eu-west-1 in my case).

In the Lambda function, I call the AWS API as follows:

$secret = Get-SECSecretValue -SecretId test-secret
Write-Host $secret.SecretString

To allow AWS Lambda to access my newly created secret, I extended the already pre-configured Lambda execution role with an inline policy (here, I anonymized some values with *):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MySecretAccess",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:eu-west-1:************:secret:test-secret-******"
        }
    ]
}

So this immediately worked out-of-the-box, here is my CloudWatch log for this function call:

Importing module ./Modules/AWSPowerShell.NetCore/3.3.618.0/AWSPowerShell.NetCore.psd1
[Information] - {"test-secret":"TEST_SECRET_VALUE"}

Please try the steps from the guide I mentioned above and see if this works for you. If it still doesn't, I'm happy to help, but please take a look on your CloudWatch logs and also make sure your deployment works.

profile pictureAWS
Dmitry Balabanov
beantwortet vor 2 Jahren
  • DerekBotbyl
    vor 2 Jahren

    Following the Developer Guide, I created a basic lambda and modified the code as such: #Requires -Modules @{ModuleName='AWS.Tools.SecretsManager';ModuleVersion='4.1.24.0'} write-host(Get-SECSecretValue -SecretId "TestKeys" -verbose)

    Execution role has been extended with "Effect": "Allow", "Action": "secretsmanager:", "Resource": "arn:aws:secretsmanager:us-east-1:*****************:secret:TestKeys-*********"

  • DerekBotbyl
    vor 2 Jahren

    Cloudwatch log: 2022-02-22T13:39:29.043-06:00 START RequestId: {task guid} Version: $LATEST

    2022-02-22T13:39:29.047-06:00 Importing module ./Modules/AWS.Tools.Common/4.1.24.0/AWS.Tools.Common.psd1 Importing module ./Modules/AWS.Tools.SecretsManager/4.1.24.0/AWS.Tools.SecretsManager.psd1

    2022-02-22T13:39:29.964-06:00 [Verbose] - Invoking AWS Secrets Manager operation 'GetSecretValue' in region 'us-east-1'

    2022-02-22T13:39:59.077-06:00 END RequestId: {task guid}

    2022-02-22T13:39:59.077-06:00 REPORT RequestId: {task guid} Duration: 30030.73 ms Billed Duration: 30000 ms Memory Size: 512 MB Max Memory Used: 161 MB Init Duration: 2328.03 ms

    2022-02-22T13:39:59.077-06:00 2022-02-22T19:39:59.075Z {task guid} Task timed out after 30.03 seconds

  • DerekBotbyl
    vor 2 Jahren

    I had been following the documentation here: https://docs.aws.amazon.com/lambda/latest/dg/powershell-devenv.html In changing from the module import "AWS.Tools.Common" to the older "AWSPowerShell.NetCore" I now get an SSL error "The remote certificate is invalid according to the validation procedure." How am I getting SSL cert errors when I'm not even using external services? I am initiating the lambda via the Test function, and I have used the CLI to invoke it with the same results.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt