By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda deployed with serverless framework has no access to kms:Sign

0

After deploy I try to invoke a function but get an error

Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action

When I check lamda configuration i see that it's contain all rules i configured

{
  "partial": false,
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "logs:CreateLogStream",
              "logs:CreateLogGroup",
              "logs:TagResource"
            ],
            "Resource": [
              "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
            ],
            "Effect": "Allow"
          },
          {
            "Action": [
              "logs:PutLogEvents"
            ],
            "Resource": [
              "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
            ],
            "Effect": "Allow"
          },
          {
            "Action": [
              "kms:DescribeKey",
              "kms:GetPublicKey",
              "kms:Sign",
              "kms:Verify"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      },
      "name": "cosigner-callback-handler-dev-lambda",
      "type": "inline"
    }
  ],
  "resources": {
    "logs": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0U3MTU3QiIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
        "name": "Amazon CloudWatch Logs"
      },
      "statements": [
        {
          "action": "logs:CreateLogStream",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:CreateLogGroup",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:TagResource",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:PutLogEvents",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*",
          "service": "logs",
          "source": {
            "index": "1",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        }
      ]
    },
    "kms": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0REMzQ0QyIvPgogICAgICA8cGF0aCBkPSJNNTEuOTk3IDUyLjQ5Nmg3di0yaC03djJ6bS05IDBoN3YtMmgtN3Yyem0tOSAwaDd2LTJoLTd2MnptMTEtOGMwLTEuMTAzLjg5OC0yIDItMiAxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnptNiAwYzAtMi4yMDYtMS43OTMtNC00LTQtMi4yMDYgMC00IDEuNzk0LTQgNHMxLjc5NCA0IDQgNGMyLjIwNyAwIDQtMS43OTQgNC00em0tMTQtMmMxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnMuODk4LTIgMi0yem0wIDZjMi4yMDcgMCA0LTEuNzk0IDQtNHMtMS43OTMtNC00LTRjLTIuMjA2IDAtNCAxLjc5NC00IDRzMS43OTQgNCA0IDR6bTI5LTE1djIzYTEgMSAwIDAxLTEgMWgtMzF2LTJoMzB2LTIxaC0yMnYtMmgyM2ExIDEgMCAwMTEgMXptLTM1LjMwMSA1LjA0N2ExIDEgMCAwMC0uNy45NTN2MjEuMDRsLTIuMzk4IDIuMDU3LTIuNjAxLTIuOTczdi0yLjYyNGEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMmEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMy40OWEuOTk4Ljk5OCAwIDAwLS42OTgtLjk1M2MtNS4xNDItMS42My04LjE4Mi02LjkxOS03LjA3LTEyLjMwNC44MDMtMy44OCAzLjc4Ny02Ljk5IDcuNjAyLTcuOTI2IDMuMjQ5LS43OTcgNi41OC0uMSA5LjE0IDEuOTA3YTEwLjQ0NiAxMC40NDYgMCAwMTQuMDI2IDguMjY2YzAgNC41NTMtMy4wMDIgOC42ODUtNy4zMDEgMTAuMDQ3em05LjMtMTAuMDQ3YzAtMy44NjQtMS43NDUtNy40NS00Ljc5LTkuODQtMy4wNDUtMi4zODktNi45OTctMy4yMi0xMC44NTEtMi4yNzUtNC41NjEgMS4xMTctOC4xMjYgNC44MzItOS4wODQgOS40NjN2LjAwMUMxNCAzMS45OSAxNy4zIDM4LjAzNSAyMi45OTcgNDAuMjE1djIuMzY3TDIwLjI5IDQ1LjI5YTEgMSAwIDAwMCAxLjQxNGwyLjcwNyAyLjcwN3YxLjE3MkwyMC4yOSA1My4yOWExIDEgMCAwMDAgMS40MTRsMi43MDcgMi43MDd2Mi41ODZjMCAuMjQyLjA4OC40NzYuMjQ4LjY2bDMuNSA0YTEgMSAwIDAwMS40MDMuMWwzLjUtM2EuOTk4Ljk5OCAwIDAwLjM0OS0uNzZWNDAuMjA0YzQuNzQ2LTEuODMyIDgtNi41NDIgOC0xMS43MDh6bS0xMi41IDIuMzdhMi41MDMgMi41MDMgMCAwMS0yLjUtMi41YzAtMS4zNzggMS4xMjMtMi41IDIuNS0yLjUgMS4zOCAwIDIuNSAxLjEyMiAyLjUgMi41IDAgMS4zOC0xLjEyIDIuNS0yLjUgMi41em0wLTdhNC41MDUgNC41MDUgMCAwMC00LjUgNC41YzAgMi40ODIgMi4wMiA0LjUgNC41IDQuNSAyLjQ4MyAwIDQuNS0yLjAxOCA0LjUtNC41IDAtMi40OC0yLjAxNy00LjUtNC41LTQuNXoiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
        "name": "AWS Key Management Service"
      },
      "statements": [
        {
          "action": "kms:DescribeKey",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:GetPublicKey",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:Sign",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:Verify",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        }
      ]
    }
  },
  "roleName": "cosigner-callback-handler-dev-us-east-1-lambdaRole",
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

Here is a serverless.yaml file

provider:
  name: aws
  runtime: go1.x
  iam:
    role:
      statements:
        - Effect: "Allow"
          Action:
            - "kms:DescribeKey"
            - "kms:GetPublicKey"
            - "kms:Sign"
            - "kms:Verify"
          Resource: '*'

resources:
  Resources:
    cosignerHandlerKmsKey:
      Type: AWS::KMS::Key
      Properties:
        Description: My KMS key
        KeySpec: RSA_2048
        KeyUsage: SIGN_VERIFY
        KeyPolicy:
          Version: '2012-10-17'
          Id: key-default-1
          Statement:
            - Sid: Enable IAM User Permissions
              Effect: Allow
              Principal:
                AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/admin
              Action:
                - kms:*
              Resource: '*'

functions:
  callback_handler:
    environment:
      KMS_KEY_ID: !GetAtt cosignerHandlerKmsKey.KeyId
    handler: bin/main
    events:
      - httpApi:
          path: /v2/tx_sign_request
          method: post
      - httpApi:
          path: /v2/config_change_sign_request
          method: post

Please help me identify an error :(

Topics
ServerlessSecurity, Identity, & ComplianceCompute
Tags
ServerlessAWS Key Management ServiceAWS Lambda
Language
English
Ivan
asked 10 months ago319 views
2 Answers
1
Accepted Answer

Hi, it looks to me like your KMS Key Policy (resource policy) allows kms:* only for arn:aws:iam::${AWS::AccountId}:user/admin. Your Lambda won't be executing under this IAM Principal so you get "no resource-based policy allows" errors. You can see from the error that it's the "arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler" IAM Principal that's trying to access KMS.

EXPERT
skinsman
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 10 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 10 months ago
  • Ivan
    10 months ago

    Unfortunately, here is a full role after serverless deploy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:TagResource"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:DescribeKey",
                "kms:GetPublicKey",
                "kms:Sign",
                "kms:Verify"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
1

I should update the key policy also with the lambda role to be able use kms from lambda besides iam role.

Ivan
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content