-2

What are permissions that my lambda function need to be able to retrieve secrets from AWS Secrets Manager and change it also ?

learn.amzn21
  • 43
  • 1
  • 7

2 Answers2

1

You need the secretsmanager:GetSecretValue policy to retrieve secrets and the secretsmanager:UpdateSecret policy to update secrets.

Note that if you are using a customer-managed AWS KMS key for encryption you will also need some KMS permissions:

  • kms:Decrypt for retrieving the secret.
  • kms:Decrypt and kms:GenerateDataKey for updating the secret.

https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html

https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html

Julian Calle
  • 93
  • 5
  • Yep; Thanks I'm using those polices but I'm not able to access the secret IN MAY CASE I'M USING SPECIFIC VPC ones i delete the VPC my Lambda function work correctly but i need to be able to use it with specific VPC so if you have any idea about the issue i get with the usage of specific VPC i'll appreciate if you share it with me – learn.amzn21 May 20 '21 at 20:46
  • @learn.amzn21 so you need to run the Lambda on a specific VPC, is that correct? Can you also share the error from the Lambda logs? – Julian Calle May 20 '21 at 22:54
  • { "errorMessage": "2021-05-21T08:54:56.954Z 103aa5dd-675b-4a61-876e-279c64fc1239 Task timed out after 25.03 seconds" } – learn.amzn21 May 21 '21 at 08:55
  • START RequestId: 103aa5dd-675b-4a61-876e-279c64fc1239 Version: $LATEST END RequestId: 103aa5dd-675b-4a61-876e-279c64fc1239 REPORT RequestId: 103aa5dd-675b-4a61-876e-279c64fc1239 Duration: 25025.19 ms Billed Duration: 25000 ms Memory Size: 128 MB Max Memory Used: 69 MB Init Duration: 220.53 ms 2021-05-21T08:54:56.954Z 103aa5dd-675b-4a61-876e-279c64fc1239 Task timed out after 25.03 seconds – learn.amzn21 May 21 '21 at 08:56
  • i try to change timeout i give more time it's not the problem also the problem is that i'm not able to access the secret but wen i run same code in Lambda function without specify the VPC it work correctly. So i'm not sure if i need to add more permissions ?? – learn.amzn21 May 21 '21 at 09:01
  • Does the subnet where the Lambda is running have access to the internet? This is likely to be a network issue. Check the security group outbound rules and the subnet network configuration and make sure you have access to the AWS Secrets endpoint. As a quick turnaround, you can launch an EC2 instance with the same subnet and security group as the Lambda function and then test the connectivity to the Secrets Manager using the AWS CLI. – Julian Calle May 24 '21 at 19:29
1

If you are using the Lambda functions provided by AWS, then (as described in the docs) you will need: DescribeSecret, GetSecretValue, PutSecretValue, UpdateSecretVersionStage and GetRandomPassword. If you are using a Custom KMS Key (CMK) you will also need Decrypt and GenerateDataKey permissions for that CMK (both in the Lambda policy and in the KMS key policy).

If you are seeing Task timed out errors, it is likely your Lambda can not access either the secrets manager endpoint (try using a VPC endpoint), or the Lambda can not connect to the DB (check security group settings).

JoeB
  • 1,503
  • 7
  • 9