Access Secrets manager through VPC Endpoint

Hi,

You have the whole guidance to create such a VPC endpoint for Secrets Manager here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html

Then you have a detailled example in https://repost.aws/knowledge-center/lambda-secret-vpc See in particular the resource EC2VPCEndpoint , which gives you the full definition of the endpoint

EC2VPCEndpoint:
        Type: "AWS::EC2::VPCEndpoint"
        Properties:
            VpcEndpointType: "Interface"
            VpcId: !GetAtt EC2Subnet.VpcId
            ServiceName: !Sub "com.amazonaws.${AWS::Region}.secretsmanager"
            PolicyDocument: |
                {
                  "Statement": [
                    {
                      "Action": "*", 
                      "Effect": "Allow", 
                      "Principal": "*", 
                      "Resource": "*"
                    }
                  ]
                }
            SubnetIds: 
              - !Ref EC2Subnet
            PrivateDnsEnabled: true
            SecurityGroupIds: 
              - !Ref EC2SecurityGroup

BTW, as done above, I strongly recommend to use CloudFormation for such advanced constructs: you can put all resource definitions (Lambda, endpoint, secret, IAM policies, etc. ) in one single YAML file and check his coherency via cfn-lint. That is my personal only way to implement similar use cases: it dramatically raises your efficiency.

Best

Didier

You also can use an existing pattern (CDK, easier than cloud formation) in ServerlessLand: https://serverlessland.com/patterns/lambda-secretsmanager-dotnet-cdk