Lambda deployed with serverless framework has no access to kms:Sign
0
After deploy I try to invoke a function but get an error
Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action
When I check lamda configuration i see that it's contain all rules i configured
{
"partial": false,
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:TagResource"
],
"Resource": [
"arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
"kms:Verify"
],
"Resource": "*",
"Effect": "Allow"
}
]
},
"name": "cosigner-callback-handler-dev-lambda",
"type": "inline"
}
],
"resources": {
"logs": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0U3MTU3QiIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
"name": "Amazon CloudWatch Logs"
},
"statements": [
{
"action": "logs:CreateLogStream",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:CreateLogGroup",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:TagResource",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:PutLogEvents",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*",
"service": "logs",
"source": {
"index": "1",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
}
]
},
"kms": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0REMzQ0QyIvPgogICAgICA8cGF0aCBkPSJNNTEuOTk3IDUyLjQ5Nmg3di0yaC03djJ6bS05IDBoN3YtMmgtN3Yyem0tOSAwaDd2LTJoLTd2MnptMTEtOGMwLTEuMTAzLjg5OC0yIDItMiAxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnptNiAwYzAtMi4yMDYtMS43OTMtNC00LTQtMi4yMDYgMC00IDEuNzk0LTQgNHMxLjc5NCA0IDQgNGMyLjIwNyAwIDQtMS43OTQgNC00em0tMTQtMmMxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnMuODk4LTIgMi0yem0wIDZjMi4yMDcgMCA0LTEuNzk0IDQtNHMtMS43OTMtNC00LTRjLTIuMjA2IDAtNCAxLjc5NC00IDRzMS43OTQgNCA0IDR6bTI5LTE1djIzYTEgMSAwIDAxLTEgMWgtMzF2LTJoMzB2LTIxaC0yMnYtMmgyM2ExIDEgMCAwMTEgMXptLTM1LjMwMSA1LjA0N2ExIDEgMCAwMC0uNy45NTN2MjEuMDRsLTIuMzk4IDIuMDU3LTIuNjAxLTIuOTczdi0yLjYyNGEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMmEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMy40OWEuOTk4Ljk5OCAwIDAwLS42OTgtLjk1M2MtNS4xNDItMS42My04LjE4Mi02LjkxOS03LjA3LTEyLjMwNC44MDMtMy44OCAzLjc4Ny02Ljk5IDcuNjAyLTcuOTI2IDMuMjQ5LS43OTcgNi41OC0uMSA5LjE0IDEuOTA3YTEwLjQ0NiAxMC40NDYgMCAwMTQuMDI2IDguMjY2YzAgNC41NTMtMy4wMDIgOC42ODUtNy4zMDEgMTAuMDQ3em05LjMtMTAuMDQ3YzAtMy44NjQtMS43NDUtNy40NS00Ljc5LTkuODQtMy4wNDUtMi4zODktNi45OTctMy4yMi0xMC44NTEtMi4yNzUtNC41NjEgMS4xMTctOC4xMjYgNC44MzItOS4wODQgOS40NjN2LjAwMUMxNCAzMS45OSAxNy4zIDM4LjAzNSAyMi45OTcgNDAuMjE1djIuMzY3TDIwLjI5IDQ1LjI5YTEgMSAwIDAwMCAxLjQxNGwyLjcwNyAyLjcwN3YxLjE3MkwyMC4yOSA1My4yOWExIDEgMCAwMDAgMS40MTRsMi43MDcgMi43MDd2Mi41ODZjMCAuMjQyLjA4OC40NzYuMjQ4LjY2bDMuNSA0YTEgMSAwIDAwMS40MDMuMWwzLjUtM2EuOTk4Ljk5OCAwIDAwLjM0OS0uNzZWNDAuMjA0YzQuNzQ2LTEuODMyIDgtNi41NDIgOC0xMS43MDh6bS0xMi41IDIuMzdhMi41MDMgMi41MDMgMCAwMS0yLjUtMi41YzAtMS4zNzggMS4xMjMtMi41IDIuNS0yLjUgMS4zOCAwIDIuNSAxLjEyMiAyLjUgMi41IDAgMS4zOC0xLjEyIDIuNS0yLjUgMi41em0wLTdhNC41MDUgNC41MDUgMCAwMC00LjUgNC41YzAgMi40ODIgMi4wMiA0LjUgNC41IDQuNSAyLjQ4MyAwIDQuNS0yLjAxOCA0LjUtNC41IDAtMi40OC0yLjAxNy00LjUtNC41LTQuNXoiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
"name": "AWS Key Management Service"
},
"statements": [
{
"action": "kms:DescribeKey",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:GetPublicKey",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:Sign",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:Verify",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
}
]
}
},
"roleName": "cosigner-callback-handler-dev-us-east-1-lambdaRole",
"trustedEntities": [
"lambda.amazonaws.com"
]
}
Here is a serverless.yaml file
provider:
name: aws
runtime: go1.x
iam:
role:
statements:
- Effect: "Allow"
Action:
- "kms:DescribeKey"
- "kms:GetPublicKey"
- "kms:Sign"
- "kms:Verify"
Resource: '*'
resources:
Resources:
cosignerHandlerKmsKey:
Type: AWS::KMS::Key
Properties:
Description: My KMS key
KeySpec: RSA_2048
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/admin
Action:
- kms:*
Resource: '*'
functions:
callback_handler:
environment:
KMS_KEY_ID: !GetAtt cosignerHandlerKmsKey.KeyId
handler: bin/main
events:
- httpApi:
path: /v2/tx_sign_request
method: post
- httpApi:
path: /v2/config_change_sign_request
method: post
Please help me identify an error :(
Sprache
English
gefragt vor einem Jahr329 Aufrufelg...
2 Antworten
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
Akzeptierte Antwort
Hi, it looks to me like your KMS Key Policy (resource policy) allows kms:* only for arn:aws:iam::${AWS::AccountId}:user/admin. Your Lambda won't be executing under this IAM Principal so you get "no resource-based policy allows" errors. You can see from the error that it's the "arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler" IAM Principal that's trying to access KMS.
1
I should update the key policy also with the lambda role to be able use kms from lambda besides iam role.
beantwortet vor einem Jahrlg...
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 3 Jahren- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr
Unfortunately, here is a full role after serverless deploy