-1

Does anyone know how to enable all lambda with tag 't' get access to a specific secret in AWS secret manager?

I have tried even more basic thing like enable all lambda function a read access without success.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:<aws_region>:<my_account>:secret:<my_secret_id>"
    }
  ]
}
Maurice
  • 11,482
  • 2
  • 25
  • 45
user2550587
  • 635
  • 6
  • 15

1 Answers1

0

It doesn't work that way.

Not Lambda is accessing the secret, but the role that Lambda has assumed.

If you attach the tags to your role, you might be able to use the aws:PrincipalTag global condition.

I haven't tested it, but it should look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Arn": "arn-of-execution-role"},
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/your-tag-key": "your-tag-value"
        }
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:<aws_region>:<my_account>:secret:<my_secret_id>"
    }
  ]
}
Maurice
  • 11,482
  • 2
  • 25
  • 45
  • I have tried to put the following for the Principal without success: "AWS" : "arn:aws:iam:::role/*" I want to give access to all the roles/ users, which execute the tagged lambdas. And I don't to go over and apply every lambda with the new IAM role that give access to this secret. Do you think it's possible? What am I missing? Thanks in advanced. – user2550587 Apr 16 '21 at 16:10
  • Well, this is always a two-step process. The policy on the role needs to grant the permission **and** the policy on the secrets has to grant the permission. (Note, that the same is true for the underlying KMS key that encrypts the secret) – Maurice Apr 16 '21 at 17:03