I am attaching the following resource policy to an SM secret
{
"Version" : "2012-10-17",
"Id" : "AllowAccessToSecretValue",
"Statement" : [ {
"Sid" : "AllowLambdaAccess",
"Effect" : "Allow",
"Principal" : {
"Service" : "lambda.amazonaws.com"
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
"Resource" : "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk",
"Condition" : {
"ArnLike" : {
"aws:SourceArn" : "arn:aws:lambda:us-east-1:123456789:function:foo*"
}
}
} ]
}
Then I am trying to access it from a lambda that has the following code:
secret_name = "my-secret"
def lambda_handler(event, context):
# Calling SecretsManager
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
#Raw Response
#Extracting the key/value from the secret
secret = get_secret_value_response['SecretString']
print(secret)
put_secret_value_response = client.update_secret(
SecretId=secret_name,
SecretString='fofo'
)
secret = get_secret_value_response['SecretString']
print(secret)
The arn of the function is
arn:aws:lambda:us-east-1:123456789:function:foo-lala
The execution fails:
"errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::123456789:assumed-role/my-secret/foo-lala is not authorized to perform: secretsmanager:GetSecretValue on resource: my-secret because no identity-based policy allows the secretsmanager:GetSecretValue action",
Why is that?
update
Removing the Condition clause entirely does not seem to work either
{
"Version" : "2012-10-17",
"Id" : "AllowAccessToSecretValue",
"Statement" : [ {
"Sid" : "AllowLambdaAccess",
"Effect" : "Allow",
"Principal" : {
"Service" : "lambda.amazonaws.com"
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
"Resource" : "*"
} ]
}
CodePudding user response:
Resource is "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk" but you are trying to access my-secret!
Update:
{
"Version" : "2012-10-17",
"Id" : "AllowAccessToSecretValue",
"Statement" : [ {
"Sid" : "AllowLambdaAccess",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::359524702761:role/service-role/foo-lala-role-16s42m8h"
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
"Resource" : "arn:aws:secretsmanager:us-east-1:359524702761:secret:my-secret-dNl6kV"
} ]
}
CodePudding user response:
Your resource policy fails to grant the expected privileges because the Lambda service is not the caller. Rather, the Lambda service assumes the Lambda's execution role and the *role* makes the call to Secrets Manager.
Set the Lambda role as the Principal and remove the condition:
{
"Version": "2012-10-17",
"Id": "AllowAccessToSecretValue",
"Statement": [
{
"Sid": "AllowLambdaAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:us-east-1:123456789:role/MyLambdaRole"
},
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:UpdateSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk"
}
]
}
You can match multiple roles with a pattern. Use the "Any" Principal with an ArnLike Condition with a wildcard pattern on aws:PrincipalArn. This will match whatever role names match the pattern.
{
"Version": "2012-10-17",
"Id": "AllowAccessToSecretValue",
"Statement": [
{
"Sid": "AllowLambdaAccess",
"Effect": "Allow",
"Principal": { "AWS": "*" },
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:UpdateSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam:us-east-1:123456789:role/*RolePattern*"
}
}
}
]
}