Salta al contenuto
Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post
Informazioni su re:Post

Restricting access to secret GetValue from Lambda

0

Hello How do I restrict access to a secret from a lambda function's role without adding a secret specific policy to the role? It seems that a Permissions policy on the secret is overridden by a policy on the role. For example, I have the following policy on the secret:

{
    "Version" : "2012-10-17",
    "Statement" : [ {
        "Sid" : "Get",
        "Effect" : "Deny",
        "Principal" : "*",
        "Action" : "secretsmanager:GetSecretValue",
        "Resource" : "{secret_arn}",
        "Condition" : {
            "StringNotLike" : {
                "aws:PrincipalArn" : {principal_arns}
            }
        }
    } ]
}

I assumed that this would Deny access to any roles other than those in the StringNotLike list even if the other roles have (for example) SecretsManagerReadWrite permissions attached to them?

Thank you!

Argomenti
ServerlessComputazionaliSicurezza, identità e conformità
Tag
Gestione identità e accesso AWSPolitiche IAMGestore AWS SecretsAWS Lambda
Lingua
English
posta 2 anni fa772 visualizzazioni
1 Risposta
1
Risposta accettata

Hello.

If you set the resource-based policy you created in SecretsManager, you will not be able to obtain secrets except from the ARN set in "Condition".

For example, create Lambda A and Lambda B with the Lambda code below.
Create separate IAM roles for Lambda A and Lambda B and set "SecretsManagerReadWrite" in the IAM policy.
Set the policy you created in Secrets Manager's resource-based policy and register only the ARN of Lambda A's IAM role.
Once configured, when you run Lambda, you can see that Lambda A succeeds in execution, but when you run Lambda B, it fails with an access denied error.

import boto3
from botocore.exceptions import ClientError

def lambda_handler(event, context):
    get_secret()

def get_secret():

    secret_name = "test1"
    region_name = "ap-northeast-1"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        # For a list of exceptions thrown, see
        # https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
        raise e

    secret = get_secret_value_response['SecretString']
    print(secret)
ESPERTO
con risposta 2 anni fa
ESPERTO
verificato 2 anni fa
ESPERTO
verificato 2 anni fa
ESPERTO
verificato 2 anni fa
  • Kathrika
    2 anni fa

    Thank you. That works.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Contenuto pertinente