I followed the instructions in this guide: https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/architecture-details.html#image-url-signature
The solution works for public images in my S3 bucket, however, I need to make also protected images work. I have tried editing the template with these changes:
- Enable Signature -> Yes
- SecretsManager Secret -> my-secret
- SecretsManager Key -> my-key
When I submit the changes, it fails. The logs show me this error:
ERROR AWS Secrets Manager secret or signature might not exist: my-secret/my-key
INFO Received event: {
"RequestType": "Create",
"ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
"ResponseURL": "https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A081638151084%3Astack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df%7CCommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776%7Ce9798850-6ac9-4edd-bcf5-4e53deb62d22?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230916T010945Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA6L7Q4OWT4KI6JZ7U%2F20230916%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=dee2a6fd4b82133bb800a8611cd9a1f8bf0f4d6257b9035c1c6207a6ec9b5b92",
"StackId": "arn:aws:cloudformation:us-east-1:081638151084:stack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df",
"RequestId": "e9798850-6ac9-4edd-bcf5-4e53deb62d22",
"LogicalResourceId": "CommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776",
"ResourceType": "AWS::CloudFormation::CustomResource",
"ResourceProperties": {
"ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
"SecretsManagerKey": "my-key",
"CustomAction": "checkSecretsManager",
"SecretsManagerName": "my-secret"
}
}
My secret and key have uppercase and lowercase alpha characters, numbers, and as non-alphanumeric I use ".", "-", "_", "@", "+". Those are valid characters for Secrets<anager, right?
I also added the SecretsManagerReadWrite policy to the ServerlessImageHandler-CommonResourcesCustomResour-xxxx role..
What am I missing?