skip to Main Content

I several lambda functions on my account to be able to access a secret.

(I cannot use identity policies, don’t ask why)

I am following this example from the official documentation so I am creating this resource based policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"
        ]
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ArnLike": {
          "aws:sourceArn": "arn:aws:lambda::1234567891911:*"
        },
        "StringEquals": {
          "aws:sourceAccount": "1234567891911"
        }
      }

    }
  ]
}

My lambda invocation fails as follows:

"An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::1234567891911:assumed-role/my-secret-name/my-lambda-name is not authorized to perform: secretsmanager:GetSecretValue on resource: ps-shield-token because no identity-based policy allows the secretsmanager:GetSecretValue action",

????

2

Answers


  1. It’s not the lambda service that’s getting the secret value. The lambda service first assumes the execution role which you set in your lambda function, and the execution role is the principle of the secretsmanager:GetSecretValue action. Therefore, the following policy should work.

    {
        "Version": "2012-10-17",
        "Statement":
        [
            {
                "Effect": "Allow",
                "Principal":
                {
                    "AWS": "arn:aws:iam::1234567891911:role/<lambda-execution-role-name>"
                },
                "Action": "secretsmanager:GetSecretValue",
                "Resource": "*"
            }
        ]
    }
    
    Login or Signup to reply.
  2. I don’t see the problem. Your policy example is valid for services that support service-linked roles1. Lambda functions do not support service-linked roles. Therefore, the policy example is not valid for Lambda.


    Service-linked roles, which are AWS-managed, are referenced by service name in resource-based policies, as in the OP. For instance, the principal { “Service”: “elasticloadbalancing.amazonaws.com” } refers to the AWS-managed ELB service-linked-role, which is called AWSServiceRoleForElasticLoadBalancing. Again, there’s no equivalent lambda.amazon.aws option here, because Lambda has no service-linked role2.

    Functions have user-managed execution roles. Execution roles (EC2 Instances and ECS Tasks have something similar) are referenced by the role ARN in the resource-based policy "Principal": { AWS: <Lambda Role Arn> }, as in @jellycsc’s answer.


    1. Although the docs could definitely be clearer, your Example: Service principal does refer to just to service-linked roles. The first link on the page, AWS Service Principal, refers to "service principal" as used "services that support service-linked roles".

    2. Lambda@Edge does support service-linked roles.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search