By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda created using Terraform is not authorized to perform: secretsmanager:GetSecretValue

0

I am trying to access my AWS RDS from a Lambda function using IAM authentication. I have stored the secrets using secret manager. I am using terraform to provision all the services. I am getting the following error: software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException: User: arn:aws:sts::<myaccount>:assumed-role/poc-da37e8d3/poc-forms-da37e8d3 is not authorized to perform: secretsmanager:GetSecretValue because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: SecretsManager, Status Code: 400, Request ID: 915700aa-bbc2-49c8-8082-af6635642755) org.springframework.web.util.NestedServletException: Request processing failed; nested exception is software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException: User: arn:aws:sts::<myaccount>:assumed-role/poc-da37e8d3/poc-forms-da37e8d3 is not authorized to perform: secretsmanager:GetSecretValue because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: SecretsManager, Status Code: 400, Request ID: 915700aa-bbc2-49c8-8082-af6635642755) Can anyone please help me to resolve this issue?

My Terraform code snippet: module "my_lambda" { source = "git::https://bitbucket.<mydomain>.com/scm/<info>/aws-lambda.git" id = local.id name = "${var.name}-mylmbda" description = "Lambda" handler_prefix = "com.my_forms_api" handler_suffix = "ApiHandler::handleRequest"
source_folder_zip_dir = "${path.module}/app/src/forms-api.zip" runtime = "java11" timeout = 30 memory_size = 1024 vpc_subnet_ids = var.vpc_subnet_ids vpc_security_group_ids = var.vpc_security_group_ids environment_variables = { secret_name = data.aws_secretsmanager_secret.secretkey.name } invoke_function_permission = [{ "apigateway.amazonaws.com" = "arn:aws:execute-api:${local.region}:${local.account_id}:${module.aws_api_gateway.id}///*" }]
use_existing_role = true existing_role_arn = module.lambda_role.arn tags = local.tags } module "lambda_role" { source = "git::https://bitbucket.<mydomain>.com/scm/<info>/iam-role.git" assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json id = local.id name = var.name description = "IAM role for lambda." inline_policy_docs = [data.aws_iam_policy_document.lambda_execution_policy.json] tags = local.tags }

data "aws_iam_policy_document" "assume_role_policy" { statement { actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["lambda.amazonaws.com"] } } }

data "aws_iam_policy_document" "lambda_execution_policy" { statement { actions = [ "rds-db:connect" ] effect = "Allow" resources = [ "arn:aws:rds-db:${local.region}:${local.account_id}:dbuser:${var.dbresourceid}/${var.dbuser}" ] } statement { actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] effect = "Allow" resources = ["arn:aws:logs:::"] } statement { actions = [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces" ] effect = "Allow" resources = [""] } statement { actions = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses" ] effect = "Allow" resources = ["*"] } statement { actions = [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ] effect = "Allow" resources = ["arn:aws:secretsmanager:${local.region}:${local.account_id}:secret:${var.secretname_arn}"] } }

data "aws_secretsmanager_secret" "secretkey" {
arn = "arn:aws:secretsmanager:${local.region}:${local.account_id}:secret:${var.secretname_arn}" }

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
AWS LambdaAmazon API GatewayAWS Secrets ManagerTerraform
Language
English
Chandan Ray
asked a year ago744 views
3 Answers
1

The error message indicates that the role used by the lambda function doesn't have "secretsmanager:GetSecretValue" permission.

You may want to check for the following-

  1. In the role attached to the lambda function, check that the action "secretsmanager:GetSecretValue" is allowed for the SecretsManager secret it is trying to access. Looking at the code snippet, this seems to be configured, but double-check. Here is a sample permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "SecretARN" } ] }

  1. In the SecretsManager, check the resource policy attached to the secret. It should allow "secretsmanager:GetSecretValue". Here is a sample permission.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }

  1. Finally, if the secret is encrypted using a KMS key, then the role attached to the lambda function should also have "kms:Decrypt" permission.
profile picture
zafar_khan
answered a year ago
0
Accepted Answer

I could solve the issue. Issue was with my java code. Previously I was using this line of code to create SecretsManagerClient -

var secretsManagerClient = SecretsManagerClient.create(); but using this piece of code solved the issue -

SecretsManagerClient secretsManagerClient = SecretsManagerClient.builder() .region(region) .build();

Chandan Ray
answered a year ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
-2

Hi,

Is rds database in same vpc? In that case you need a vpc interface endpoint to access it.

If in same vpc, look for security groups setup.

A nice guide can be found here: https://repost.aws/knowledge-center/connect-lambda-to-an-rds-instance

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • Chandan Ray
    a year ago

    Yes RDS is in the same VPC as the Lambda Function but in different subnets. I shall go through the link you shared and update you. Thanks!

  • Chandan Ray
    a year ago

    alatech but I am getting the error in accessing the secretmanager itself

  • Antonio_Lagrotteria EXPERT
    a year ago

    Then I think you may need an interface endpoint for secret manager, so that your lambda in vpc can access secret managers secrets via private link.

    See this: https://repost.aws/knowledge-center/lambda-secret-vpc

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content