Using AWS Tools for Powershell in a Powershell lambda


Hello, I am encountering a huge roadblock performing the most basic AWS tasks within a Powershell Lambda. I have created a role with secretsmanager and basic lambda execute permissions. Created a test secret. Created a one-liner Powershell Lambda with Get-SECSecretValue to retrieve the test key value. No VPC is assigned to the lambda, from what I understand this is not needed for a simple internal service call. The command executes, and then hangs. Both the lambda and secret are in the same region, same account. I have tried to get the lambda to access various other services, all unsuccessfully. To add further datapoints, I created a Python lambda that does the same thing, accessing the same secret. Used the same role and did not select a VPC. This lambda has no issues whatsoever retrieving the key.

Could really use some help here, being able to retrieve a secret is mission critical to this project. Unfortunately I can't convert the scripts to Python (Thanks Microsoft).

I could use another python lambda to retrieve the secrets and pass them to the initiating lambda, but that seems a bit excessive, and I don't even know if I can trigger a lambda from the PS one, since I can't seem to connect to any AWS services.

  • did you check the CloudWatch log? Did you try the CLI with debug option? You can run PowerShell from AWS SSM as well.

asked 2 years ago840 views
1 Answer

This should be working without any issues, if configured correctly.

You could leverage the AWS Lambda Developer Guide - there is an example of setting up a basic infrastructure for a PowerShell Lambda (the link above points directly to that example).

Following the steps in the guide, you get an AWS Lambda with the .NET Core 3.1 (C#/PowerShell) runtime and some basic CmdLets as an example.

To test your use case, I manually created a simple secret in the AWS Secrets Manager with a secret ID test-secret. I used the DefaultEncryptionKey and no additional options. I placed the secret in the same region where my Lambda function resides (eu-west-1 in my case).

In the Lambda function, I call the AWS API as follows:

$secret = Get-SECSecretValue -SecretId test-secret
Write-Host $secret.SecretString

To allow AWS Lambda to access my newly created secret, I extended the already pre-configured Lambda execution role with an inline policy (here, I anonymized some values with *):

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "MySecretAccess",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:eu-west-1:************:secret:test-secret-******"

So this immediately worked out-of-the-box, here is my CloudWatch log for this function call:

Importing module ./Modules/AWSPowerShell.NetCore/3.3.618.0/AWSPowerShell.NetCore.psd1
[Information] - {"test-secret":"TEST_SECRET_VALUE"}

Please try the steps from the guide I mentioned above and see if this works for you. If it still doesn't, I'm happy to help, but please take a look on your CloudWatch logs and also make sure your deployment works.

profile pictureAWS
answered 2 years ago
  • Following the Developer Guide, I created a basic lambda and modified the code as such: #Requires -Modules @{ModuleName='AWS.Tools.SecretsManager';ModuleVersion=''} write-host(Get-SECSecretValue -SecretId "TestKeys" -verbose)

    Execution role has been extended with "Effect": "Allow", "Action": "secretsmanager:", "Resource": "arn:aws:secretsmanager:us-east-1:*****************:secret:TestKeys-*********"

  • Cloudwatch log: 2022-02-22T13:39:29.043-06:00 START RequestId: {task guid} Version: $LATEST

    2022-02-22T13:39:29.047-06:00 Importing module ./Modules/AWS.Tools.Common/ Importing module ./Modules/AWS.Tools.SecretsManager/

    2022-02-22T13:39:29.964-06:00 [Verbose] - Invoking AWS Secrets Manager operation 'GetSecretValue' in region 'us-east-1'

    2022-02-22T13:39:59.077-06:00 END RequestId: {task guid}

    2022-02-22T13:39:59.077-06:00 REPORT RequestId: {task guid} Duration: 30030.73 ms Billed Duration: 30000 ms Memory Size: 512 MB Max Memory Used: 161 MB Init Duration: 2328.03 ms

    2022-02-22T13:39:59.077-06:00 2022-02-22T19:39:59.075Z {task guid} Task timed out after 30.03 seconds

  • I had been following the documentation here: In changing from the module import "AWS.Tools.Common" to the older "AWSPowerShell.NetCore" I now get an SSL error "The remote certificate is invalid according to the validation procedure." How am I getting SSL cert errors when I'm not even using external services? I am initiating the lambda via the Test function, and I have used the CLI to invoke it with the same results.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions