By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

assumed-role cannot access secret manager

0

Hi,

I have an IAM role - <role_name>, for AWS lambda function. This IAM role has an policy attached to it:

{
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:us-east-2:<account_id>key/<key_id>",
            "Sid": "kms"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-east-2:<account_id>:secret:<secret_name>-<some_randomstuff>",
            "Sid": "secretsmanager"
        }
    ],
    "Version": "2012-10-17"
}

In the lambda function code, i try to get the secret value using python like:

import aws_lambda_powertools
from aws_lambda_powertools.utilities import parameters
json.loads(parameters.get_secret(<secret_name>))

And in the output im getting error:

[ERROR] GetParameterError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<account_id>:assumed-role/<role_name>/<role_name> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret_name> because no identity-based policy allows the secretsmanager:GetSecretValue action

What could be an issue? The role has a policy that allows this role to "GetSecretValue" out of <secret_arn>, but the assumed role IAM identity cannot access it (if to believe the error message, and it is not misleading).

Thanks.

Topics
ServerlessComputeSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS LambdaAWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
Joann Babak
asked 13 days ago161 views
2 Answers
0

Ensure your Lambda execution role also has KMS:Decrypt for the Key used to encrypt the secrect

profile picture
EXPERT
Gary Mclean
answered 13 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 13 days ago
  • Joann Babak
    13 days ago

    Good point, added another statement to the allowing policy, but sadly did not helped.

0

Another thing to take into consideration, is the accounts, if this is a cross account situation or not. Anyway, the first thing that I would check is the KMS policy you have attached to the KMS key. It's not enough providing permissions to the principal executing the lambda function. You need also to allow on the KMS key policy the usage by that principal. You can give on the KMS policy permissions to all the principals in one account to use it, or just to specific principals.

Here you have examples: https://docs.aws.amazon.com/dms/latest/userguide/security_iam_resource-based-policy-examples.html

To be more precise for your use case you would need something like this:

{
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/<your-lambda-role>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },

Hope this helps,

Best.

profile pictureAWS
JuanEn_G
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content