By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda deployed with serverless framework has no access to kms:Sign

0

After deploy I try to invoke a function but get an error

Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action Error: AccessDeniedException: User: arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler is not authorized to perform: kms:Sign on resource: arn:aws:kms:us-east-1:475473497806:key/605e631d-0634-4997-9689-82ba70ded0c5 because no resource-based policy allows the kms:Sign action

When I check lamda configuration i see that it's contain all rules i configured

{
  "partial": false,
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "logs:CreateLogStream",
              "logs:CreateLogGroup",
              "logs:TagResource"
            ],
            "Resource": [
              "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
            ],
            "Effect": "Allow"
          },
          {
            "Action": [
              "logs:PutLogEvents"
            ],
            "Resource": [
              "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
            ],
            "Effect": "Allow"
          },
          {
            "Action": [
              "kms:DescribeKey",
              "kms:GetPublicKey",
              "kms:Sign",
              "kms:Verify"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      },
      "name": "cosigner-callback-handler-dev-lambda",
      "type": "inline"
    }
  ],
  "resources": {
    "logs": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0U3MTU3QiIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
        "name": "Amazon CloudWatch Logs"
      },
      "statements": [
        {
          "action": "logs:CreateLogStream",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:CreateLogGroup",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:TagResource",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*",
          "service": "logs",
          "source": {
            "index": "0",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "logs:PutLogEvents",
          "effect": "Allow",
          "resource": "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*",
          "service": "logs",
          "source": {
            "index": "1",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        }
      ]
    },
    "kms": {
      "service": {
        "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0iI0REMzQ0QyIvPgogICAgICA8cGF0aCBkPSJNNTEuOTk3IDUyLjQ5Nmg3di0yaC03djJ6bS05IDBoN3YtMmgtN3Yyem0tOSAwaDd2LTJoLTd2MnptMTEtOGMwLTEuMTAzLjg5OC0yIDItMiAxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnptNiAwYzAtMi4yMDYtMS43OTMtNC00LTQtMi4yMDYgMC00IDEuNzk0LTQgNHMxLjc5NCA0IDQgNGMyLjIwNyAwIDQtMS43OTQgNC00em0tMTQtMmMxLjEwMyAwIDIgLjg5NyAyIDJzLS44OTcgMi0yIDJjLTEuMTAyIDAtMi0uODk3LTItMnMuODk4LTIgMi0yem0wIDZjMi4yMDcgMCA0LTEuNzk0IDQtNHMtMS43OTMtNC00LTRjLTIuMjA2IDAtNCAxLjc5NC00IDRzMS43OTQgNCA0IDR6bTI5LTE1djIzYTEgMSAwIDAxLTEgMWgtMzF2LTJoMzB2LTIxaC0yMnYtMmgyM2ExIDEgMCAwMTEgMXptLTM1LjMwMSA1LjA0N2ExIDEgMCAwMC0uNy45NTN2MjEuMDRsLTIuMzk4IDIuMDU3LTIuNjAxLTIuOTczdi0yLjYyNGEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMmEuOTk3Ljk5NyAwIDAwLS4yOTMtLjcwN2wtMi4yOTItMi4yOTMgMi4yOTItMi4yOTNhLjk5Ny45OTcgMCAwMC4yOTMtLjcwN3YtMy40OWEuOTk4Ljk5OCAwIDAwLS42OTgtLjk1M2MtNS4xNDItMS42My04LjE4Mi02LjkxOS03LjA3LTEyLjMwNC44MDMtMy44OCAzLjc4Ny02Ljk5IDcuNjAyLTcuOTI2IDMuMjQ5LS43OTcgNi41OC0uMSA5LjE0IDEuOTA3YTEwLjQ0NiAxMC40NDYgMCAwMTQuMDI2IDguMjY2YzAgNC41NTMtMy4wMDIgOC42ODUtNy4zMDEgMTAuMDQ3em05LjMtMTAuMDQ3YzAtMy44NjQtMS43NDUtNy40NS00Ljc5LTkuODQtMy4wNDUtMi4zODktNi45OTctMy4yMi0xMC44NTEtMi4yNzUtNC41NjEgMS4xMTctOC4xMjYgNC44MzItOS4wODQgOS40NjN2LjAwMUMxNCAzMS45OSAxNy4zIDM4LjAzNSAyMi45OTcgNDAuMjE1djIuMzY3TDIwLjI5IDQ1LjI5YTEgMSAwIDAwMCAxLjQxNGwyLjcwNyAyLjcwN3YxLjE3MkwyMC4yOSA1My4yOWExIDEgMCAwMDAgMS40MTRsMi43MDcgMi43MDd2Mi41ODZjMCAuMjQyLjA4OC40NzYuMjQ4LjY2bDMuNSA0YTEgMSAwIDAwMS40MDMuMWwzLjUtM2EuOTk4Ljk5OCAwIDAwLjM0OS0uNzZWNDAuMjA0YzQuNzQ2LTEuODMyIDgtNi41NDIgOC0xMS43MDh6bS0xMi41IDIuMzdhMi41MDMgMi41MDMgMCAwMS0yLjUtMi41YzAtMS4zNzggMS4xMjMtMi41IDIuNS0yLjUgMS4zOCAwIDIuNSAxLjEyMiAyLjUgMi41IDAgMS4zOC0xLjEyIDIuNS0yLjUgMi41em0wLTdhNC41MDUgNC41MDUgMCAwMC00LjUgNC41YzAgMi40ODIgMi4wMiA0LjUgNC41IDQuNSAyLjQ4MyAwIDQuNS0yLjAxOCA0LjUtNC41IDAtMi40OC0yLjAxNy00LjUtNC41LTQuNXoiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
        "name": "AWS Key Management Service"
      },
      "statements": [
        {
          "action": "kms:DescribeKey",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:GetPublicKey",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:Sign",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        },
        {
          "action": "kms:Verify",
          "effect": "Allow",
          "resource": "*",
          "service": "kms",
          "source": {
            "index": "2",
            "policyName": "cosigner-callback-handler-dev-lambda",
            "policyType": "inline"
          }
        }
      ]
    }
  },
  "roleName": "cosigner-callback-handler-dev-us-east-1-lambdaRole",
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

Here is a serverless.yaml file

provider:
  name: aws
  runtime: go1.x
  iam:
    role:
      statements:
        - Effect: "Allow"
          Action:
            - "kms:DescribeKey"
            - "kms:GetPublicKey"
            - "kms:Sign"
            - "kms:Verify"
          Resource: '*'

resources:
  Resources:
    cosignerHandlerKmsKey:
      Type: AWS::KMS::Key
      Properties:
        Description: My KMS key
        KeySpec: RSA_2048
        KeyUsage: SIGN_VERIFY
        KeyPolicy:
          Version: '2012-10-17'
          Id: key-default-1
          Statement:
            - Sid: Enable IAM User Permissions
              Effect: Allow
              Principal:
                AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/admin
              Action:
                - kms:*
              Resource: '*'

functions:
  callback_handler:
    environment:
      KMS_KEY_ID: !GetAtt cosignerHandlerKmsKey.KeyId
    handler: bin/main
    events:
      - httpApi:
          path: /v2/tx_sign_request
          method: post
      - httpApi:
          path: /v2/config_change_sign_request
          method: post

Please help me identify an error :(

Topics
ServerlessSecurity, Identity, & ComplianceCompute
Tags
ServerlessAWS Key Management ServiceAWS Lambda
Language
English
Ivan
asked a year ago329 views
2 Answers
1
Accepted Answer

Hi, it looks to me like your KMS Key Policy (resource policy) allows kms:* only for arn:aws:iam::${AWS::AccountId}:user/admin. Your Lambda won't be executing under this IAM Principal so you get "no resource-based policy allows" errors. You can see from the error that it's the "arn:aws:sts::475473497806:assumed-role/cosigner-callback-handler-dev-us-east-1-lambdaRole/cosigner-callback-handler-dev-callback_handler" IAM Principal that's trying to access KMS.

EXPERT
skinsman
answered a year ago
profile picture
EXPERT
Sedat Salman
reviewed a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
  • Ivan
    a year ago

    Unfortunately, here is a full role after serverless deploy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:TagResource"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:475473497806:log-group:/aws/lambda/cosigner-callback-handler-dev*:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:DescribeKey",
                "kms:GetPublicKey",
                "kms:Sign",
                "kms:Verify"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
1

I should update the key policy also with the lambda role to be able use kms from lambda besides iam role.

Ivan
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content