4

I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:

[ERROR] ClientError: An error occurred (AccessDeniedException) 
when calling the DescribeSecret operation: 
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret 
on resource: MysecretARN

I know something is wrong with my execution role, so I checked my policy attached to this role, it has:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "lambda:InvokeFunction",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage",
                "secretsmanager:RotateSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:xxx",
                "arn:aws:lambda:us-east-1:xxx"
            ]
        }
    ]
}

I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help

I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)

wawawa
  • 2,835
  • 6
  • 44
  • 105

2 Answers2

2

Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'

but I don't see MysecretARN in the list of resources you allow the lambda to access

committedandroider
  • 8,711
  • 14
  • 71
  • 126
  • Hi you are right, I only pasted the secret name instead of the ARN (slightly different, very hard to spot), I'm gonna try again. A follow-up question: Do I need to add KMS policies for the execution role? – wawawa Feb 02 '20 at 15:32
1

All secrets in Secrete manager are encrypted with a key(AWS KMS). Please ensure that your lambda has permission to read the needed key.

UPD: I mean that the logic is following - The Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret.

elbik
  • 1,749
  • 2
  • 16
  • 21
  • Hi can you be a bit more specific, how can I ensure my lambda has permission to read the needed key? – wawawa Jan 31 '20 at 13:20
  • Please check > https://docs.aws.amazon.com/streams/latest/dev/permissions-user-key-KMS.html – elbik Jan 31 '20 at 13:25
  • The doc you attached is for Amazon Kinesis Data Streams, and in order to configure this, do I need to add key policy in the Lambda execution role or something? – wawawa Jan 31 '20 at 13:45
  • I'm new to AWS, can you explain a bit clearer so that I can follow the steps and implement it? Sorry about multiple comments. I remember when I first created the secret, I chose ```DefaultEncryptionKey```, how can I grant the permission...still confusing... – wawawa Jan 31 '20 at 13:58
  • 2
    ```The Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret``` How can I achieve this?Thanks – wawawa Jan 31 '20 at 14:13
  • So here the example of the policy which must have the Lambda execution role. https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-encrypt-decrypt-specific-cmks – elbik Jan 31 '20 at 15:53
  • 1
    @elbik If this is the case where the actual error is that the permission to read the key is missing. It should say that in the error message. Saying 'DescribeSecret' permission is missing only confuses people – committedandroider Jan 31 '20 at 19:39