I have the following resource policy on a Secrets Manager secret
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "rp1",
"Effect" : "Allow",
"Principal" : {
"AWS" : ["*"]
},
"Action" : [ "secretsmanager:UpdateSecret", "secretsmanager:GetSecretValue" ],
"Resource" : "arn:aws:secretsmanager:us-east-1:1111111111111111:secret:my-secret-VH7Qgf",
"Condition" : {
"ArnLike" : {
"aws:PrincipalArn" : "arn:aws:iam::1111111111111111:role/my-role*"
}
}
} ]
}
My lambda has the following Executor role arn; arn:aws:iam::1111111111111111:role/my-role-foo
However its execution fails with:
"errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::1111111111111111:assumed-role/my-secret/my-lambda is not authorized to perform: secretsmanager:GetSecretValue on resource: my-secret because no identity-based policy allows the secretsmanager:GetSecretValue action",
Why is that?
2
Answers
Although not 100% sure, I think this is limited by the
Condition
statements that can be applied to Secrets Manager.The docs indicate that the
StringLike
nor theArnLike
can be applied.An AWS resource policy cannot grant permissions on the attached resource.
Hence, even if you have allowed "actions" in resource policy it does not mean that the resource (consumer) trying to access has the privilege.
For the resource(consumer) to have access, it needs permissions granted via AWS IAM Role attached to it.
Therefore, you need to have
secretsmanager:GetSecretValue
as a part of the AWS IAM Rolearn:aws:iam::1111111111111111:role/my-role-foo
that is attached to the AWS Lambda function.I hope it helps ๐