1回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Hello.
If you set the resource-based policy you created in SecretsManager, you will not be able to obtain secrets except from the ARN set in "Condition".
For example, create Lambda A and Lambda B with the Lambda code below.
Create separate IAM roles for Lambda A and Lambda B and set "SecretsManagerReadWrite" in the IAM policy.
Set the policy you created in Secrets Manager's resource-based policy and register only the ARN of Lambda A's IAM role.
Once configured, when you run Lambda, you can see that Lambda A succeeds in execution, but when you run Lambda B, it fails with an access denied error.
import boto3
from botocore.exceptions import ClientError
def lambda_handler(event, context):
get_secret()
def get_secret():
secret_name = "test1"
region_name = "ap-northeast-1"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name
)
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
except ClientError as e:
# For a list of exceptions thrown, see
# https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
raise e
secret = get_secret_value_response['SecretString']
print(secret)
Thank you. That works.