How can I modify the Serverless Image Handler template to work with protected images in my S3 bucket?

I followed the instructions in this guide: https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/architecture-details.html#image-url-signature

The solution works for public images in my S3 bucket, however, I need to make also protected images work. I have tried editing the template with these changes:

Enable Signature -> Yes
SecretsManager Secret -> my-secret
SecretsManager Key -> my-key

When I submit the changes, it fails. The logs show me this error:

ERROR	AWS Secrets Manager secret or signature might not exist: my-secret/my-key
INFO	Received event: {
    "RequestType": "Create",
    "ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
    "ResponseURL": "https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A081638151084%3Astack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df%7CCommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776%7Ce9798850-6ac9-4edd-bcf5-4e53deb62d22?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230916T010945Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA6L7Q4OWT4KI6JZ7U%2F20230916%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=dee2a6fd4b82133bb800a8611cd9a1f8bf0f4d6257b9035c1c6207a6ec9b5b92",
    "StackId": "arn:aws:cloudformation:us-east-1:081638151084:stack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df",
    "RequestId": "e9798850-6ac9-4edd-bcf5-4e53deb62d22",
    "LogicalResourceId": "CommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776",
    "ResourceType": "AWS::CloudFormation::CustomResource",
    "ResourceProperties": {
        "ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
        "SecretsManagerKey": "my-key",
        "CustomAction": "checkSecretsManager",
        "SecretsManagerName": "my-secret"
    }
}

My secret and key have uppercase and lowercase alpha characters, numbers, and as non-alphanumeric I use ".", "-", "_", "@", "+". Those are valid characters for Secrets<anager, right?

I also added the SecretsManagerReadWrite policy to the ServerlessImageHandler-CommonResourcesCustomResour-xxxx role..

What am I missing?

Topics

Management & Governance Security, Identity, & Compliance

Relevant content

Unable to make it work for multiple S3 buckets AWS Serverless Image Handler
JVM
asked 8 months ago
How to display images from S3 bucket in AWS Pinpoint email templates?
AWS-User-2130413
asked 2 years ago
Serverless Image Handler extraction for cropping an image
rePost-User-3035378
asked a year ago
How can I get Cloudfront to access an image stored in a different S3 bucket
Sarah
asked 3 months ago
How can I update the WorkSpace image in a custom bundle?
AWS OFFICIALUpdated 2 years ago
What are the differences between working with custom images and BYOL images in WorkSpaces?
AWS OFFICIALUpdated 2 years ago
How do I resolve circular dependencies with AWS Serverless Application Model (SAM) templates in CloudFormation?
AWS OFFICIALUpdated 3 years ago
How can I secure the files in my Amazon S3 bucket?
AWS OFFICIALUpdated 4 months ago
Building Security Conscious Video Streaming Infrastructure on AWS, Lesson 2: Protect Your Buckets
EXPERT
BCole2019
published 6 months ago
A Guide to Understanding and Streamlining the DMCA Process
EXPERT
Ben Lee
published 4 months ago