Lambda denied secret manager update

0

I have a lambda function that can read secrets just fine, but fails to update the secret with the newer token data. The error returns that the assumed execution role does not have the necessary rights to the secret to perform an update action. However, based on the IAM simulator, the role should be able to read/write the secret. So in summary, the policies appear to be setup correctly and attached to the execution role of the Lambda script. ARN's to the secrets are correct. I did not however, create a resource based policy for the secret itself as to my understanding, that is not required as long as the execution role policy has the required ARN's and rights.

1 Answer
0

Hello.

What IAM policy is set for the IAM role configured on Lambda?
If you are using rotation to update secrets, you will need a policy called "secretsmanager:RotateSecret".
If you want to update as is, the policy "secretsmanager:UpdateSecret" is required.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html

profile picture
EXPERT
answered 6 months ago
  • So this script will eventually become the update script called by the rotation process, however, for testing I gave it full write permissions: Allow: secretsmanager:GetSecretValue Allow: secretsmanager:StopReplicationToReplica Allow: secretsmanager:ListSecretVersionIds Allow: secretsmanager:DeleteSecret Allow: secretsmanager:ReplicateSecretToRegions Allow: secretsmanager:RemoveRegionsFromReplication Allow: secretsmanager:DescribeSecret Allow: secretsmanager:PutSecretValue Allow: secretsmanager:UpdateSecretVersionStage Allow: secretsmanager:RestoreSecret Allow: secretsmanager:CreateSecret Allow: secretsmanager:UpdateSecret Allow: secretsmanager:CancelRotateSecret Allow: secretsmanager:GetResourcePolicy Allow: secretsmanager:RotateSecret

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions