While deploying Lambda serverless getting Cannot access secret manager value

Question

Hello I am deploying my serverless to AWS us-east-1 region and I getting the below error:
**Resource handler returned message: "Invalid request provided: Cannot access secret manager value arn:aws:secretsmanager:us-east-1:123456789012:secret:/app/app1/dev-east/dev-east.us-east-1.enterprise.dedicated/consumer.sampleBooking.orderAdapter.Please ensure the role can perform the 'secretsmanager:GetSecretValue' action on your broker in IAM. (Service: Lambda, Status Code: 400, Request ID: 6bafd85b-b4fb-47d9-b1fd-aa88eab03e4f)" (RequestToken: 6de30368-bd40-30e5-2fc0-253360e400b2, HandlerErrorCode: InvalidRequest).**

Below are my findings and my configs for my VPC, serverless:

I have the vpcEndpoints defined when i deployed my VPC. Snippet of my yml file as shown below, also i can see these Endpoints being defined and created under my Endpoints section in AWS Console. Just for FYI, I added these endPoints recently not when I created the VPC.
..............

```
vpc_endpoints:
  interfaces:
    - cloudtrail
    - events
    - lambda
    - logs
    - secretsmanager
    - ssm
    - sts
  gateways:
    - dynamodb
``
```

Below is my serverless yml snippet:

```
provider:
  name: aws
  stackName: Application-sampleApp-process-serverless
  runtime: java11
  tracing:
    lambda: true
  deploymentBucket:
  iam:
    role:
      name: rServerlessRole -----> This part makes the association to the lambda function??????

functions:
  Function1:
      ................
functions:
  Function2:
      ................

resources:
  - Resources:
	rServerlessRole:
        	   Type: AWS::IAM::Role
              Properties:
                AssumeRolePolicyDocument:
                Version: '2012-10-17'
                 Statement:
                  - Effect: Allow
                    Principal:
                       Service:
                         - lambda.amazonaws.com
                    Action:
                      - sts:AssumeRole
                PermissionsBoundary: arn:aws:iam::${aws:accountId}:policy/ABC/sampleCompanyPermissionsBoundary
               Policies:
                 - PolicyName: ${self:custom.config.department}-${self:custom.config.namespace}-Function-ServerlessRole
                   PolicyDocument:
                      Version: '2012-10-17'
                      Statement:
                         - Action:
                              - secretsmanager:GetSecretValue
                           Effect: Allow
                           Resource: 
                              - arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:/app/app1/dev-east/dev-east.us-east-1.enterprise.dedicated/consumer.sampleBooking.orderAdapter

Please let me know If i am missing something?
```

Riku_Kobayashi · Answer

Hello.

The permission boundary is set in the template as shown below, but what kind of settings are made in this permission boundary?  
Looking at the policy set for the IAM role, "secretsmanager:GetSecretValue" is allowed and should be accessible, so the error is probably due to permission boundaries.  
Please delete the permission boundary or check if the permission boundary is set to allow "secretsmanager:GetSecretValue".  
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html  
```
                PermissionsBoundary: arn:aws:iam::${aws:accountId}:policy/ABC/sampleCompanyPermissionsBoundary
```

Renad Jqaim · Answer

Hi,

Check please if the IAM role is active and can see the secret manager, and other things check please if you only need to get secret or other things. 
Also this issues are happening if the lambda that works without VPC.

re:Post Agent · Answer

Based on the information provided, it appears that the issue is related to the Lambda function's inability to access the Secret Manager value. Here are a few points to consider and potential solutions:

1. IAM Role Permissions: 
   The IAM role associated with your Lambda function needs the correct permissions to access Secrets Manager. You have included the necessary 'secretsmanager:GetSecretValue' action in your policy, which is good. However, ensure that the resource ARN in your policy exactly matches the ARN of the secret you're trying to access.

2. VPC Configuration:
   If your Lambda function is running in a VPC, it needs to be able to reach the Secrets Manager endpoint. You've mentioned that you've defined VPC endpoints, including one for Secrets Manager, which is a good step. Make sure that:
   - The Lambda function is configured to use the VPC where these endpoints are set up.
   - The security groups associated with your Lambda function allow outbound traffic to the Secrets Manager VPC endpoint.

3. VPC Endpoint for Secrets Manager:
   Verify that the Secrets Manager VPC endpoint is properly configured:
   - Check that it's in the correct VPC and subnets.
   - Ensure its security group allows inbound HTTPS traffic from your Lambda function's security group.

4. Lambda Function VPC Configuration:
   Make sure your Lambda function is configured to use the VPC. In your serverless.yml, you should have a VpcConfig section under each function that needs VPC access. It should look something like this:

```yaml
   functions:
     Function1:
       ...
       vpcConfig:
         securityGroupIds:
           - sg-xxxxxxxxxxxxxxxxx
         subnetIds:
           - subnet-xxxxxxxxxxxxxxxxx
           - subnet-yyyyyyyyyyyyyyyyy
   ```

5. Permissions Boundary:
   You're using a permissions boundary (PermissionsBoundary) in your IAM role. Ensure that this boundary policy doesn't restrict the actions needed for Secrets Manager access.

6. Secret ARN:
   Double-check that the secret ARN in your error message matches exactly with the ARN you've specified in your IAM policy.

If you've verified all these points and are still encountering issues, you may want to:
- Check CloudWatch Logs for more detailed error messages from your Lambda function.
- Use AWS X-Ray tracing to identify where exactly the function is failing.
- Temporarily expand the IAM permissions (for testing purposes only) to see if it resolves the issue, which would confirm it's a permissions problem.

Remember to always follow the principle of least privilege when setting up IAM permissions in production environments.  
**Sources**  
[Building Scalable and Secure Serverless Applications with AWS Lambda | AWS re:Post](https://repost.aws/articles/ARtb3Vcie8RkKH5a8cx2gH4g/building-scalable-and-secure-serverless-applications-with-aws-lambda)  
[Troubleshoot AWS Secrets Manager rotation - AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html)  
[AWS::Serverless::Function - AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)

While deploying Lambda serverless getting Cannot access secret manager value

Add your answer

Relevant content