Questions tagged with AWS Secrets Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Unable to use AWS Parameters and Secrets Lambda Extension

Hello I tried all the steps required to use AWS Parameters and Secrets Lambda Extension such like adding layer and using the X-Aws-Parameters-Secrets-Token in the header but the problem is when I call the request to get the secrets by using AWS Lambda Extension I get the "feign.RetryableException: Connection refused (Connection refused) executing GET http://localhost:2773/secretsmanager/get?secretId=test" problem. Error : Connection refused (Connection refused) executing GET http://localhost:2773/secretsmanager/get?secretId=test" problem. I really do not understand the problem. The token seems fine as well. I used Feign Client to make a GET request to call the secrets by using AWS Lambda Extension . Could you please check the implementation and let me know the problem? ``` //* SecretsAndParametersExtensionAPI class (API class for Feign Client) @Headers({"X-Aws-Parameters-Secrets-Token: {token}"}) public interface SecretsAndParametersExtensionAPI { // TODO move me @RequestLine("GET /secretsmanager/get") @Headers("X-Aws-Parameters-Secrets-Token: {token}") String getSecret(@Param("token") String token, @QueryMap Map<String, Object> queryMap); } // Test class to get Secrets by using AWS Secrets Parameters Lambda Extension @Test public void testSecretsExtension() { String sessionToken = EnvVarCommon.SESSION_TOKEN.get(); System.out.println(sessionToken); try { SecretsAndParametersExtensionAPI secretsAndParametersExtensionAPI = Feign.builder().target(SecretsAndParametersExtensionAPI.class, "http://localhost:2773/"); Map<String, Object> queryMap = new HashMap<>(); queryMap.put("secretId", "test"); String resultFromSecretExtension = secretsAndParametersExtensionAPI.getSecret(sessionToken, queryMap); System.out.println("Result From Secret Extension " + resultFromSecretExtension); log.debug("Request sent to ULH and ULH send request to LAVIN to download profile picture"); } catch (IllegalStateException | JsonSyntaxException exception) { log.error( "Failed to get response from ULH for downloading profile picture for the UserID '{}'", exception); } } //* template.yml file (CloudFormation file for adding Layer) Mappings: RegionToLayerArnMap: us-east-1: "LayerArn": "arn:aws:lambda:us-east-1:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension:2" us-east-2: "LayerArn": "arn:aws:lambda:us-east-2:590474943231:layer:AWS-Parameters-and-Secrets-Lambda-Extension:2" eu-west-1: "LayerArn": "arn:aws:lambda:eu-west-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension:2" eu-west-2: "LayerArn": "arn:aws:lambda:eu-west-2:133256977650:layer:AWS-Parameters-and-Secrets-Lambda-Extension:2" eu-west-3: "LayerArn": "arn:aws:lambda:eu-west-3:780235371811:layer:AWS-Parameters-and-Secrets-Lambda-Extension:2" AlperTestBotLambda: Type: AWS::Serverless::Function Condition: EnableAlperTestbot Properties: Tracing: Active Runtime: java11 Environment: Variables: component: !Ref Component componentShortName: !Ref ComponentShortName version: !Ref Version zone: !Ref Zone tenant: !Ref Tenant testTenant: "test" alperTestQueueName: !Ref AlperTestQueueName aws.sessionToken: !Ref SessionToken Policies: - !Ref SecureParameterAccess - !Ref PurgeSqsPolicyTestQueues EventInvokeConfig: MaximumRetryAttempts: 0 Layers: - !FindInMap [ RegionToLayerArnMap, !Ref "AWS::Region", LayerArn ] ```
1
answers
0
votes
55
views
asked 12 days ago

Race Condition Error in AWS-Parameters-and-Secrets-Lambda-Extension

Hey, we tried to use the AWS-Parameters-and-Secrets-Lambda-Extension to get some parameters within our Lambda Function. Unfortunately the code of the layer throws an error. As far I can tell from the outside it looks like a race condition error. It mostly happens after the function got deployed and runs for the first time, or when it comes back from a cold start. I do not know if this is the right place to report it, but here are some details. Let me know if there is a Repo where I can create an Issue. Environment: Lambda, `arm64`, `Node.js 16.x` Layer: `arn:aws:lambda:eu-west-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:2` Error: ``` fatal error: concurrent map read and map write goroutine 8 [running]: golang.a2z.com/GoAmzn-SSMParameterStoreLambdaExtension/cache.(*Cache).Add(0x40001a6140, {0x31f0e0?, 0x400001f990}, {0x36e2c0?, 0x4000484900}, 0x6a3780?) /local/p4clients/pkgbuild-6j8da/workspace/src/GoAmzn-SSMParameterStoreLambdaExtension/cache/cache.go:69 +0x114 golang.a2z.com/GoAmzn-SSMParameterStoreLambdaExtension/parameters.(*Retriever).Get(0x40001b4280, 0x40001e1b90) /local/p4clients/pkgbuild-6j8da/workspace/src/GoAmzn-SSMParameterStoreLambdaExtension/parameters/retriever.go:107 +0x84c ... /opt/brazil-pkg-cache/packages/GoLang/GoLang-1.x.89619.0/AL2_x86_64/DEV.STD.PTHREAD/build/lib/src/net/http/transport.go:1752 +0x1234 ``` The stack trace is very long so i skipped a lot in between `...` if one need it please ask.
0
answers
0
votes
15
views
asked 20 days ago

DMS Test Endpoint failed

I am trying to create a DMS replication task with an RDS Postgresql source. The endpoint connection is failing with the following message: ``` Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to build connection string Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:<region>:<account>:secret:<secret>' The secrets_manager get secret value failed: curlCode: 28, Timeout was reached Too many retries: curlCode: 28, Timeout was reached ``` I checked that the secret ARN is correct. I have also set `"SecretsManagerAccessRoleArn"` for the endpoint, which I double-checked. This role has the following policy: ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:<region>:<account>:secret:<friendly-name>-??????" ], "Effect": "Allow" }, { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:<region>:<account>:key/*" ], "Effect": "Allow" } ] } ``` The secretsmanager resource matches the secret ARN. I am using the default encryption key, so I believe explicit kms permission is not necessary. I just added it out of desperation. Here is the role trust policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "dms.amazonaws.com", "dms.<region>.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } ``` According to the documentation, the region-specific principle should be used; I tried adding `dms.amazonaws.com` when it didn’t work. The replication instance is on a public subnet. I tried `aws secretsmanager get-secret-value` from another instance on the same subnet using the SecretsManagerAccessRole as assumed-role and it works. The roles, policies, and dms resources are all instantiated via cloudformation. Any help getting this to work would be much appreciated.
1
answers
0
votes
115
views
asked a month ago

DMSStack-DMSRole-xxxx/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following. Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets DMSRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] } Resource Policy on Secret { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] } Any thoughts on what was missing in permissions that is restricting the access to secret
1
answers
0
votes
28
views
asked 2 months ago