AWS SecretsManager list_secret_version_ids in lambda rotation function Returns AccessDeniedException

Question

I am writing a custom lambda function to implement a generic rotating keys algorithm for use in SecretsManager.

The python lambda function works perfectly when running locally in my pycharm IDE, however, when I paste it into the lambda console and deploy it, I get a AccessDeniedException when executing "Rotate Secret Immediately" in SecretsManager. The offending code is:

 resp = service_client.list_secret_version_ids(SecretId=arn, IncludeDeprecated=True)

The logged in user is in a group with the AdministratorAccess policy attached. I also added the SecretsManagerReadWrite policy for kicks.

I print an error message which includes the arn of the secret and it is correct. This code is called from the finishSecret method after the "normal" code is complete, so the secret does rotate fine. However, I added custom code to ensure I keep versions for 2 years (by assigning Version stages so SM won't delete them). For this, I need the list-secret-version-ids method.

Is there some kind of restriction on this function when called from SecretsManager?

Any ideas?

Answer 1

I resolved this issue. Apparently the default IAM role assigned to the lambda function when I created it did not include permsissions to run the ListSecretversionIds method. I followed the section titled "Creating a Lambda rotation function using an AWS Serverless Application Repository template" in teh AWS SecretsManager User Guide (Starting on page 84).

So, to add the permission do:

1. Bring up the lambda function just created 
2. Click the Permissions tab
3. Click the role that was assigned (at top of page)
4. On the Permissions tab (already displayed)
    1. Click Show 2 more
    2. Open SecretsManagerRotationTemplateRolePolicy1
    3. Click [Edit Policy] button
    4. Click [JSON] 
    5. Add "secretsmanager:ListSecretVersionIds” to the list of Actions allowed so it looks like:
            "Action": [ 
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage",
                "secretsmanager:ListSecretVersionIds"
            ],
    6. Click [Review...]
    7. Click [Save Changes]

Or if you're squeamish about editing JSON, you can use the interactive approach on the Visual Editor tab instead.