Question about Lambda execution role when configuring credential rotation for Secret Manager

问题

I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:

[ERROR] ClientError: An error occurred (AccessDeniedException) 
when calling the DescribeSecret operation: 
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret 
on resource: MysecretARN

I know something is wrong with my execution role, so I checked my policy attached to this role, it has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "lambda:InvokeFunction",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage",
                "secretsmanager:RotateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:xxx",
                "arn:aws:lambda:us-east-1:xxx"
            ]
        }
    ]
}

I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help

I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)

回答1:

Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'

but I don't see MysecretARN in the list of resources you allow the lambda to access

回答2:

All secrets in Secrete manager are encrypted with a key(AWS KMS). Please ensure that your lambda has permission to read the needed key.

UPD: I mean that the logic is following - The Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret.

来源：https://stackoverflow.com/questions/60002949/question-about-lambda-execution-role-when-configuring-credential-rotation-for-se