2 Answers
- Newest
- Most votes
- Most comments
0
Hi Fadholi,
You need to make sure that whoever is using SecretsManager (a lambda, an ec2, an IAM user, etc..), must have a policy allowing the GetSecretValue action.
https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html
0
Hi @Fadholi,
If you want to access secrets part of build, just make sure to assign the required permissions to Access role
instead of Instance Role
answered a year ago
Relevant content
- asked 7 months ago
- asked 2 months ago
- asked 2 years ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Hi @alatech,
Thanks for the response.
Yes, I did. here my detail confirguration.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:ExecuteChangeSet", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "kms:DescribeKey", "kms:ListAliases", "kms:ListKeys", "lambda:ListFunctions", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "redshift:DescribeClusters", "tag:GetResources" ], "Effect": "Allow", "Resource": "" }, } ]
could you please give me correction, if i'm wrong?
Thank you.
Fyi, I can access secrets manager after build with above configuration, but I cannot access it in pre build.
Can you elaborate what you meant by pre build? At least I m glad the above suggested policy works
we are using apprunner.yaml. inside of it we have this configuration:
version: 1.0 runtime: nodejs14 build:
commands: pre-build: - n 14.18.3 // for update node version - yarn env // execute code to get SecretValue from secrets manager. .........
while we are doing 'yarn env'. the error appear as below: AccessDeniedException: User: arn:aws:sts::397674710086:assumed-role/bullet-system-build-role-5c8717b2af5c41ad8edf3268812503f0/AWSCodeBuild-1a0e8fed-51e8-4abc-b034-658a5af6cc6c is not authorized to perform: secretsmanager:GetSecretValue on resource:.....
Have you followed this? https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/ Your issue seems related to app rubber not being able to get the secret then. In particular, are you using environment variables to integrate with secret manager?
Also does the bullet-system-build-role has secret manager permission?