Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Lambda created using Terraform is not authorized to perform: secretsmanager:GetSecretValue

0

I am trying to access my AWS RDS from a Lambda function using IAM authentication. I have stored the secrets using secret manager. I am using terraform to provision all the services. I am getting the following error: software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException: User: arn:aws:sts::<myaccount>:assumed-role/poc-da37e8d3/poc-forms-da37e8d3 is not authorized to perform: secretsmanager:GetSecretValue because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: SecretsManager, Status Code: 400, Request ID: 915700aa-bbc2-49c8-8082-af6635642755) org.springframework.web.util.NestedServletException: Request processing failed; nested exception is software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException: User: arn:aws:sts::<myaccount>:assumed-role/poc-da37e8d3/poc-forms-da37e8d3 is not authorized to perform: secretsmanager:GetSecretValue because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: SecretsManager, Status Code: 400, Request ID: 915700aa-bbc2-49c8-8082-af6635642755) Can anyone please help me to resolve this issue?

My Terraform code snippet: module "my_lambda" { source = "git::https://bitbucket.<mydomain>.com/scm/<info>/aws-lambda.git" id = local.id name = "${var.name}-mylmbda" description = "Lambda" handler_prefix = "com.my_forms_api" handler_suffix = "ApiHandler::handleRequest"
source_folder_zip_dir = "${path.module}/app/src/forms-api.zip" runtime = "java11" timeout = 30 memory_size = 1024 vpc_subnet_ids = var.vpc_subnet_ids vpc_security_group_ids = var.vpc_security_group_ids environment_variables = { secret_name = data.aws_secretsmanager_secret.secretkey.name } invoke_function_permission = [{ "apigateway.amazonaws.com" = "arn:aws:execute-api:${local.region}:${local.account_id}:${module.aws_api_gateway.id}///*" }]
use_existing_role = true existing_role_arn = module.lambda_role.arn tags = local.tags } module "lambda_role" { source = "git::https://bitbucket.<mydomain>.com/scm/<info>/iam-role.git" assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json id = local.id name = var.name description = "IAM role for lambda." inline_policy_docs = [data.aws_iam_policy_document.lambda_execution_policy.json] tags = local.tags }

data "aws_iam_policy_document" "assume_role_policy" { statement { actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["lambda.amazonaws.com"] } } }

data "aws_iam_policy_document" "lambda_execution_policy" { statement { actions = [ "rds-db:connect" ] effect = "Allow" resources = [ "arn:aws:rds-db:${local.region}:${local.account_id}:dbuser:${var.dbresourceid}/${var.dbuser}" ] } statement { actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] effect = "Allow" resources = ["arn:aws:logs:::"] } statement { actions = [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces" ] effect = "Allow" resources = [""] } statement { actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses" ] effect = "Allow" resources = ["*"] } statement { actions = [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ] effect = "Allow" resources = ["arn:aws:secretsmanager:${local.region}:${local.account_id}:secret:${var.secretname_arn}"] } }

data "aws_secretsmanager_secret" "secretkey" {
arn = "arn:aws:secretsmanager:${local.region}:${local.account_id}:secret:${var.secretname_arn}" }

Themen
ServerlosKalkulationFrontend-Web & MobileVernetzung & Bereitstellung von InhaltenSicherheit, Identität & Konformität
Tags
AWS LambdaAmazon API-GatewayAWS GeheimnismanagerTerraform
Sprache
English
Chandan Ray
gefragt vor einem Jahr764 Aufrufe
3 Antworten
1

The error message indicates that the role used by the lambda function doesn't have "secretsmanager:GetSecretValue" permission.

You may want to check for the following-

  1. In the role attached to the lambda function, check that the action "secretsmanager:GetSecretValue" is allowed for the SecretsManager secret it is trying to access. Looking at the code snippet, this seems to be configured, but double-check. Here is a sample permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "SecretARN" } ] }

  1. In the SecretsManager, check the resource policy attached to the secret. It should allow "secretsmanager:GetSecretValue". Here is a sample permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }

  1. Finally, if the secret is encrypted using a KMS key, then the role attached to the lambda function should also have "kms:Decrypt" permission.
profile picture
zafar_khan
beantwortet vor einem Jahr
  • Chandan Ray
    vor einem Jahr

    zafar_khan: 1. Yes the policy is configured. I dont find any issue in it. 2.There is no resource policy defined. I see it is optional field. 3. No encryption

  • zafar_khan
    vor einem Jahr

    Ok. You can test the Lambda role permissions using the "IAM Policy Simulator". See if it flags any issues. Refer the link for details - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

  • Chandan Ray
    vor einem Jahr

    I have tried with your solution. still issue pending. I am getting the same error. Since my Lambda is in a custom VPC should this be an issue?

0
Akzeptierte Antwort

I could solve the issue. Issue was with my java code. Previously I was using this line of code to create SecretsManagerClient -

var secretsManagerClient = SecretsManagerClient.create(); but using this piece of code solved the issue -

SecretsManagerClient secretsManagerClient = SecretsManagerClient.builder() .region(region) .build();

Chandan Ray
beantwortet vor einem Jahr
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
-2

Hi,

Is rds database in same vpc? In that case you need a vpc interface endpoint to access it.

If in same vpc, look for security groups setup.

A nice guide can be found here: https://repost.aws/knowledge-center/connect-lambda-to-an-rds-instance

profile picture
EXPERTE
Antonio_Lagrotteria
beantwortet vor einem Jahr
  • Chandan Ray
    vor einem Jahr

    Yes RDS is in the same VPC as the Lambda Function but in different subnets. I shall go through the link you shared and update you. Thanks!

  • Chandan Ray
    vor einem Jahr

    alatech but I am getting the error in accessing the secretmanager itself

  • Antonio_Lagrotteria EXPERTE
    vor einem Jahr

    Then I think you may need an interface endpoint for secret manager, so that your lambda in vpc can access secret managers secrets via private link.

    See this: https://repost.aws/knowledge-center/lambda-secret-vpc

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt