Apologies in advance if i'm doing something dumb. I'm super new to AWS and docker, have only started learning them this week, and this is my first attempt at making a function via Docker image.
I created an image and a function in AWS Lambda but trying to run it gives me an error:
{
"errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: <user_here> is not authorized to perform: secretsmanager:GetSecretValue on resource: <resource_here> because no identity-based policy allows the secretsmanager:GetSecretValue action",
"errorType": "ClientError",
"requestId": "ccfb336b-2383-4b3f-8525-98ff213032bf",
"stackTrace": [
" File \"/var/task/app.py\", line 85, in lambda_handler\n secret = get_secret()\n",
" File \"/var/task/app.py\", line 30, in get_secret\n raise e\n",
" File \"/var/task/app.py\", line 26, in get_secret\n get_secret_value_response = client.get_secret_value(SecretId=secret_name)\n",
" File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
here's some of my template.yaml (replaced some stuff with <> but the key definitely exists and works)
Properties:
PackageType: Image
Architectures:
- x86_64
Policies:
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: arn:aws:secretsmanager:<region_here>:<account_here>:secret:<path>/google-api-key-??????
i watched a bunch of videos like this one to create a role with the policy to read the secrets https://www.youtube.com/watch?v=bZCFxueebVQ and read a bunch of SO posts, but still can't get it to work :(
Here's a list of actions for that key as it appears in the function settings:
Allow: secretsmanager:GetResourcePolicy
Allow: secretsmanager:GetSecretValue
Allow: secretsmanager:DescribeSecret
Allow: secretsmanager:ListSecretVersionIds
Edit: I looked through the logs, and for some reason the logs only go back to around noon, even tho I've run the function multiple times since, especially after changing the role. Yet the logs still only show the previous role
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<user>:assumed-role/<old_role_here>/<my_function> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret_path> because no identity-based policy allows the secretsmanager:GetSecretValue action
That makes me think it never updated the role... But it does show it in the function settings.
So confused ...
Edit2: Made a new function with the new role that has a policy to read the secret. Tried running the function. Still same error. Went to read the logs. Got an error "Log group doesn't exist"
Even more confused ...
Have a read through this doc if you haven't already. https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-policy-issues/
And also take a look here re log group https://aws.amazon.com/premiumsupport/knowledge-center/lambda-cloudwatch-log-streams-error/