By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

no identity-based policy allows the secretsmanager:GetSecretValue action

0

Apologies in advance if i'm doing something dumb. I'm super new to AWS and docker, have only started learning them this week, and this is my first attempt at making a function via Docker image.

I created an image and a function in AWS Lambda but trying to run it gives me an error:

{
  "errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: <user_here> is not authorized to perform: secretsmanager:GetSecretValue on resource: <resource_here> because no identity-based policy allows the secretsmanager:GetSecretValue action",
  "errorType": "ClientError",
  "requestId": "ccfb336b-2383-4b3f-8525-98ff213032bf",
  "stackTrace": [
    "  File \"/var/task/app.py\", line 85, in lambda_handler\n    secret = get_secret()\n",
    "  File \"/var/task/app.py\", line 30, in get_secret\n    raise e\n",
    "  File \"/var/task/app.py\", line 26, in get_secret\n    get_secret_value_response = client.get_secret_value(SecretId=secret_name)\n",
    "  File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}

here's some of my template.yaml (replaced some stuff with <> but the key definitely exists and works)

    Properties:
      PackageType: Image
      Architectures:
      - x86_64
      Policies:
        - AWSSecretsManagerGetSecretValuePolicy:
            SecretArn: arn:aws:secretsmanager:<region_here>:<account_here>:secret:<path>/google-api-key-??????

i watched a bunch of videos like this one to create a role with the policy to read the secrets https://www.youtube.com/watch?v=bZCFxueebVQ and read a bunch of SO posts, but still can't get it to work :(

Here's a list of actions for that key as it appears in the function settings:

Allow: secretsmanager:GetResourcePolicy
Allow: secretsmanager:GetSecretValue
Allow: secretsmanager:DescribeSecret
Allow: secretsmanager:ListSecretVersionIds

Edit: I looked through the logs, and for some reason the logs only go back to around noon, even tho I've run the function multiple times since, especially after changing the role. Yet the logs still only show the previous role

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<user>:assumed-role/<old_role_here>/<my_function> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret_path> because no identity-based policy allows the secretsmanager:GetSecretValue action

That makes me think it never updated the role... But it does show it in the function settings. So confused ...

Edit2: Made a new function with the new role that has a policy to read the secret. Tried running the function. Still same error. Went to read the logs. Got an error "Log group doesn't exist"

Even more confused ...

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
ServerlessAWS LambdaAWS Secrets ManagerAmazon Machine Images (AMI)
Language
English
Marina
asked a year ago415 views
1 Answer
0

Hello,

Can you confirm if the role accessing the secret has the permission defined in its IAM policy. The error message seem to be a permission issue

AWS
Adeyini
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content