Question 19195 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Using ArnLike in conditional when creating resource policy for Secrets Manager does not seem to work

I am attaching the following resource policy to an SM secret

{
  "Version" : "2012-10-17",
  "Id" : "AllowAccessToSecretValue",
  "Statement" : [ {
    "Sid" : "AllowLambdaAccess",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "lambda.amazonaws.com"
    },
    "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
    "Resource" : "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk",
    "Condition" : {
      "ArnLike" : {
        "aws:SourceArn" : "arn:aws:lambda:us-east-1:123456789:function:foo*"
      }
    }
  } ]
}

Then I am trying to access it from a lambda that has the following code:

secret_name = "my-secret"

def lambda_handler(event, context):

    # Calling SecretsManager
    get_secret_value_response = client.get_secret_value(
        SecretId=secret_name
    )
    
    #Raw Response
    #Extracting the key/value from the secret
    secret = get_secret_value_response['SecretString']
    print(secret)
    
    put_secret_value_response = client.update_secret(
            SecretId=secret_name,
            SecretString='fofo'
        )
    secret = get_secret_value_response['SecretString']
    print(secret)

The arn of the function is

arn:aws:lambda:us-east-1:123456789:function:foo-lala

The execution fails:

"errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::123456789:assumed-role/my-secret/foo-lala is not authorized to perform: secretsmanager:GetSecretValue on resource: my-secret because no identity-based policy allows the secretsmanager:GetSecretValue action",

Why is that?

update

Removing the Condition clause entirely does not seem to work either

{
  "Version" : "2012-10-17",
  "Id" : "AllowAccessToSecretValue",
  "Statement" : [ {
    "Sid" : "AllowLambdaAccess",
    "Effect" : "Allow",
    "Principal" : {
      "Service" : "lambda.amazonaws.com"
    },
    "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
    "Resource" : "*"
  } ]
}
Tags:

2

Answers


  1. 0

    Resource is "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk" but you are trying to access my-secret!

    Update:

    {
  "Version" : "2012-10-17",
  "Id" : "AllowAccessToSecretValue",
  "Statement" : [ {
    "Sid" : "AllowLambdaAccess",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::359524702761:role/service-role/foo-lala-role-16s42m8h"
    },
    "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:UpdateSecret" ],
    "Resource" : "arn:aws:secretsmanager:us-east-1:359524702761:secret:my-secret-dNl6kV"
  } ]
}
    Login or Signup to reply.
  2. 0

    Your resource policy fails to grant the expected privileges because the Lambda service is not the caller. Rather, the Lambda service assumes the Lambda’s execution role and the *role* makes the call to Secrets Manager.

    Set the Lambda role as the Principal and remove the condition:

    {
  "Version": "2012-10-17",
  "Id": "AllowAccessToSecretValue",
  "Statement": [
    {
      "Sid": "AllowLambdaAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:us-east-1:123456789:role/MyLambdaRole"
      },
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:UpdateSecret"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk"
    }
  ]
}

    You can match multiple roles with a pattern. Use the "Any" Principal with an ArnLike Condition with a wildcard pattern on aws:PrincipalArn. This will match whatever role names match the pattern.

    {
  "Version": "2012-10-17",
  "Id": "AllowAccessToSecretValue",
  "Statement": [
    {
      "Sid": "AllowLambdaAccess",
      "Effect": "Allow",
      "Principal": { "AWS": "*" },
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:UpdateSecret"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789:secret:my-secret-xkxkxk",
      "Condition": {
        "ArnLike": {
          "aws:PrincipalArn": "arn:aws:iam:us-east-1:123456789:role/*RolePattern*"
        }
      }
    }
  ]
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search