使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

assumed-role cannot access secret manager

0

Hi,

I have an IAM role - <role_name>, for AWS lambda function. This IAM role has an policy attached to it:

{
    "Statement": [
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:us-east-2:<account_id>key/<key_id>",
            "Sid": "kms"
        },
        {
            "Action": "secretsmanager:GetSecretValue",
            "Effect": "Allow",
            "Resource": "arn:aws:secretsmanager:us-east-2:<account_id>:secret:<secret_name>-<some_randomstuff>",
            "Sid": "secretsmanager"
        }
    ],
    "Version": "2012-10-17"
}

In the lambda function code, i try to get the secret value using python like:

import aws_lambda_powertools
from aws_lambda_powertools.utilities import parameters
json.loads(parameters.get_secret(<secret_name>))

And in the output im getting error:

[ERROR] GetParameterError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::<account_id>:assumed-role/<role_name>/<role_name> is not authorized to perform: secretsmanager:GetSecretValue on resource: <secret_name> because no identity-based policy allows the secretsmanager:GetSecretValue action

What could be an issue? The role has a policy that allows this role to "GetSecretValue" out of <secret_arn>, but the assumed role IAM identity cannot access it (if to believe the error message, and it is not misleading).

Thanks.

主题
无服务器计算安全、身份和合规性管理与治理
标签
AWS LambdaAWS 身份和访问权限管理AWS 命令行界面IAM 策略
语言
English
Joann Babak
已提问 1 个月前177 查看次数
2 回答
0

Ensure your Lambda execution role also has KMS:Decrypt for the Key used to encrypt the secrect

profile picture
专家
Gary Mclean
已回答 1 个月前
profile pictureAWS
专家
Didier_Durand
已审核 1 个月前
  • Joann Babak
    1 个月前

    Good point, added another statement to the allowing policy, but sadly did not helped.

0

Another thing to take into consideration, is the accounts, if this is a cross account situation or not. Anyway, the first thing that I would check is the KMS policy you have attached to the KMS key. It's not enough providing permissions to the principal executing the lambda function. You need also to allow on the KMS key policy the usage by that principal. You can give on the KMS policy permissions to all the principals in one account to use it, or just to specific principals.

Here you have examples: https://docs.aws.amazon.com/dms/latest/userguide/security_iam_resource-based-policy-examples.html

To be more precise for your use case you would need something like this:

{
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::987654321098:role/<your-lambda-role>"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },

Hope this helps,

Best.

profile pictureAWS
JuanEn_G
已回答 1 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容