Lambda deployed with serverless framework has no access to kms:Sign
0
After deploy I try to invoke a function but get an error
Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action
When I check lamda configuration i see that it's contain all rules i configured
{
"partial": false,
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:TagResource"
],
"Resource": [
"arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
"kms:Verify"
],
"Resource": "*",
"Effect": "Allow"
}
]
},
"name": "cosigner-callback-handler-dev-lambda",
"type": "inline"
}
],
"resources": {
"logs": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0U3MTU3QiIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
"name": "Amazon CloudWatch Logs"
},
"statements": [
{
"action": "logs:CreateLogStream",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:CreateLogGroup",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:TagResource",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
"service": "logs",
"source": {
"index": "0",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "logs:PutLogEvents",
"effect": "Allow",
"resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*",
"service": "logs",
"source": {
"index": "1",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
}
]
},
"kms": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0REMzQ0QyIvPgogICAgICA8cGF0aCBkPSJNNTEuOTk3IDUyLjQ5Nmg3di0yaC03djJ6bS05IDBoN3YtMmgtN3Yyem0tOSAwaDd2LTJoLTd2MnptMTEtOGMwLTEuMTAzLjg5OC0yIDItMiAxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnptNiAwYzAtMi4yMDYtMS43OTMtNC00LTQtMi4yMDYgMC00IDEuNzk0LTQgNHMxLjc5NCA0IDQgNGMyLjIwNyAwIDQtMS43OTQgNC00em0tMTQtMmMxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnMuODk4LTIgMi0yem0wIDZjMi4yMDcgMCA0LTEuNzk0IDQtNHMtMS43OTMtNC00LTRjLTIuMjA2IDAtNCAxLjc5NC00IDRzMS43OTQgNCA0IDR6bTI5LTE1djIzYTEgMSAwIDAxLTEgMWgtMzF2LTJoMzB2LTIxaC0yMnYtMmgyM2ExIDEgMCAwMTEgMXptLTM1LjMwMSA1LjA0N2ExIDEgMCAwMC0uNy45NTN2MjEuMDRsLTIuMzk4IDIuMDU3LTIuNjAxLTIuOTczdi0yLjYyNGEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMmEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMy40OWEuOTk4Ljk5OCAwIDAwLS42OTgtLjk1M2MtNS4xNDItMS42My04LjE4Mi02LjkxOS03LjA3LTEyLjMwNC44MDMtMy44OCAzLjc4Ny02Ljk5IDcuNjAyLTcuOTI2IDMuMjQ5LS43OTcgNi41OC0uMSA5LjE0IDEuOTA3YTEwLjQ0NiAxMC40NDYgMCAwMTQuMDI2IDguMjY2YzAgNC41NTMtMy4wMDIgOC42ODUtNy4zMDEgMTAuMDQ3em05LjMtMTAuMDQ3YzAtMy44NjQtMS43NDUtNy40NS00Ljc5LTkuODQtMy4wNDUtMi4zODktNi45OTctMy4yMi0xMC44NTEtMi4yNzUtNC41NjEgMS4xMTctOC4xMjYgNC44MzItOS4wODQgOS40NjN2LjAwMUMxNCAzMS45OSAxNy4zIDM4LjAzNSAyMi45OTcgNDAuMjE1djIuMzY3TDIwLjI5IDQ1LjI5YTEgMSAwIDAwMCAxLjQxNGwyLjcwNyAyLjcwN3YxLjE3MkwyMC4yOSA1My4yOWExIDEgMCAwMDAgMS40MTRsMi43MDcgMi43MDd2Mi41ODZjMCAuMjQyLjA4OC40NzYuMjQ4LjY2bDMuNSA0YTEgMSAwIDAwMS40MDMuMWwzLjUtM2EuOTk4Ljk5OCAwIDAwLjM0OS0uNzZWNDAuMjA0YzQuNzQ2LTEuODMyIDgtNi41NDIgOC0xMS43MDh6bS0xMi41IDIuMzdhMi41MDMgMi41MDMgMCAwMS0yLjUtMi41YzAtMS4zNzggMS4xMjMtMi41IDIuNS0yLjUgMS4zOCAwIDIuNSAxLjEyMiAyLjUgMi41IDAgMS4zOC0xLjEyIDIuNS0yLjUgMi41em0wLTdhNC41MDUgNC41MDUgMCAwMC00LjUgNC41YzAgMi40ODIgMi4wMiA0LjUgNC41IDQuNSAyLjQ4MyAwIDQuNS0yLjAxOCA0LjUtNC41IDAtMi40OC0yLjAxNy00LjUtNC41LTQuNXoiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
"name": "AWS Key Management Service"
},
"statements": [
{
"action": "kms:DescribeKey",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:GetPublicKey",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:Sign",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
},
{
"action": "kms:Verify",
"effect": "Allow",
"resource": "*",
"service": "kms",
"source": {
"index": "2",
"policyName": "cosigner-callback-handler-dev-lambda",
"policyType": "inline"
}
}
]
}
},
"roleName": "cosigner-callback-handler-dev-us-east-1-lambdaRole",
"trustedEntities": [
"lambda.amazonaws.com"
]
}
Here is a serverless.yaml file
provider:
name: aws
runtime: go1.x
iam:
role:
statements:
- Effect: "Allow"
Action:
- "kms:DescribeKey"
- "kms:GetPublicKey"
- "kms:Sign"
- "kms:Verify"
Resource: '*'
resources:
Resources:
cosignerHandlerKmsKey:
Type: AWS::KMS::Key
Properties:
Description: My KMS key
KeySpec: RSA_2048
KeyUsage: SIGN_VERIFY
KeyPolicy:
Version: '2012-10-17'
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/admin
Action:
- kms:*
Resource: '*'
functions:
callback_handler:
environment:
KMS_KEY_ID: !GetAtt cosignerHandlerKmsKey.KeyId
handler: bin/main
events:
- httpApi:
path: /v2/tx_sign_request
method: post
- httpApi:
path: /v2/config_change_sign_request
method: post
Please help me identify an error :(
Lingua
English
posta un anno fa339 visualizzazionilg...
2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
Risposta accettata
Hi, it looks to me like your KMS Key Policy (resource policy) allows kms:* only for arn:aws:iam::${AWS::AccountId}:user/admin. Your Lambda won't be executing under this IAM Principal so you get "no resource-based policy allows" errors. You can see from the error that it's the "arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler" IAM Principal that's trying to access KMS.
1
I should update the key policy also with the lambda role to be able use kms from lambda besides iam role.
con risposta un anno falg...
Contenuto pertinente
AWS UFFICIALEAggiornata un anno fa
Unfortunately, here is a full role after serverless deploy