Amazon web services - Unable to access SecretsManager from lambda (inside a VPC)

Tim
December 30, 2023
199 views
1 vote
2 Answers

I’ve been trying to get a db connection working in my lambda and having the worst time retrieving my password from secrets manager.

When I run the lambda I get

User: arn:aws:sts::#####:assumed-role/consent-gen/consent-gen is not authorized to perform: secretsmanager:GetSecretValue because no identity-based policy allows the secretsmanager:GetSecretValue action

Policy Simulator tells me I have access rights however, in addition to the console telling me I have rights

While the lambda is in a VPC, it is in private subnets

And I have a VPC Endpoint for secrets manager set up, in the same vpc/subnets

with a security group set up to allow inbound traffic from the VPC i’m on

I’m at a loss at this point, has anyone else experienced this?

Answers

- Chris
- December 18, 2023 at 3:16 pm
- 0 votes
0
I would check the following:
- Check to make sure your secret does not have a Resource permission attached to it or that the resource permission allows your lambda role to retrieve the secret
- Check to make sure there are no SCPs preventing you from retrieving the secret
- Verify that the role attached to your lambda is what you expect it to be
- Check that the role your lambda is assuming has permissions to the KMS key that is encrypting the secret. I’ve seen misleading errors in that past that end up being kms key permissions errors.
Login or Signup to reply.

- halfer
- December 22, 2023 at 1:07 am
- 0 votes
0
(Posted solution on behalf of the question author to move it to the answer space).

I did absolutely nothing, but the error disappeared. I’m guessing I needed to wait longer for something in the VPC endpoint to be set up internally to AWS but I honestly don’t know. Such is the mystery of AWS.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Amazon web services – Unable to access SecretsManager from lambda (inside a VPC)

Answers