Lambda denied secret manager update

0

I have a lambda function that can read secrets just fine, but fails to update the secret with the newer token data. The error returns that the assumed execution role does not have the necessary rights to the secret to perform an update action. However, based on the IAM simulator, the role should be able to read/write the secret. So in summary, the policies appear to be setup correctly and attached to the execution role of the Lambda script. ARN's to the secrets are correct. I did not however, create a resource based policy for the secret itself as to my understanding, that is not required as long as the execution role policy has the required ARN's and rights.

1 Risposta
0

Hello.

What IAM policy is set for the IAM role configured on Lambda?
If you are using rotation to update secrets, you will need a policy called "secretsmanager:RotateSecret".
If you want to update as is, the policy "secretsmanager:UpdateSecret" is required.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html

profile picture
ESPERTO
con risposta un mese fa
  • So this script will eventually become the update script called by the rotation process, however, for testing I gave it full write permissions: Allow: secretsmanager:GetSecretValue Allow: secretsmanager:StopReplicationToReplica Allow: secretsmanager:ListSecretVersionIds Allow: secretsmanager:DeleteSecret Allow: secretsmanager:ReplicateSecretToRegions Allow: secretsmanager:RemoveRegionsFromReplication Allow: secretsmanager:DescribeSecret Allow: secretsmanager:PutSecretValue Allow: secretsmanager:UpdateSecretVersionStage Allow: secretsmanager:RestoreSecret Allow: secretsmanager:CreateSecret Allow: secretsmanager:UpdateSecret Allow: secretsmanager:CancelRotateSecret Allow: secretsmanager:GetResourcePolicy Allow: secretsmanager:RotateSecret

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande