2

I am trying to connect a Lambda to a secret as per AWS docs.

I set the following resource-based policy on the secret, and verified that it has indeed been set:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:role/my-lambda-execution-role"
        },
        "Action": ["secretsmanager:GetSecret", "secretsmanager:GetSecretValue"],
        "Resource": "*",
        "Condition": {
            "ForAnyValue:StringEquals": {
                "secretsmanager:VersionStage": "AWSCURRENT"
            }
        }
    }]
}

However, I am getting timeouts when attempting to actually retrieve the policy (using Amazon's generated starter code for python3 client). I am executing the Lambda in the web IDE.

I tried it with and without the Condition filter. I also, just to be safe, granted the SecretsManagerReadWrite policy to the lambda execution role. No effect -- still timeouts.

I have a feeling that I am missing some important step there, but I have no idea what it could be...

Can anyone help? Thanks!

Community
  • 1
user2733807
  • 21
  • 2

1 Answers1

1

Do you really get a Timeout and not Access Denied error?

If that's the case and you're getting timeout it's more likely that your Lambda network configuration is incorrect. If the policy was wrong you'd get Access Denied, not a Timeout.

For example if it's running in a VPC in a public subnet it may not have a Public IP assigned or if it's running in a private subnet there may not be a NAT gateway configured. Unless the Lambda needs access to VPC resources you may want to run it outside of the VPC (which is also the default, VPC-Lambda are a special case).

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86