问题
I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:
[ERROR] ClientError: An error occurred (AccessDeniedException)
when calling the DescribeSecret operation:
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret
on resource: MysecretARN
I know something is wrong with my execution role, so I checked my policy attached to this role, it has:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"lambda:InvokeFunction",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RotateSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxx",
"arn:aws:lambda:us-east-1:xxx"
]
}
]
}
I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help
I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)
回答1:
Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'
but I don't see MysecretARN in the list of resources you allow the lambda to access
回答2:
All secrets in Secrete manager are encrypted with a key(AWS KMS). Please ensure that your lambda has permission to read the needed key.
UPD: I mean that the logic is following - The Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret.
来源:https://stackoverflow.com/questions/60002949/question-about-lambda-execution-role-when-configuring-credential-rotation-for-se