I have setup a simple synthetic transaction monitoring (canary) in aws, that running a POST HTTP request, against specific endpoint, using a secret keys defined in AWS Secretes Manager (ASM).
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();
const getKeyCert = async () => {
var params = {
SecretId: "arn:aws:secretsmanager:us-west-1:443682978425:secret:Canary_BO_TLS_CER-LalJXG"
};
const key = await secretsManager.getSecretValue(params).promise();
var params = {
SecretId: "arn:aws:secretsmanager:us-west-1:443682978425:secret:Canary_BO_TLS_CER-LalJXG"
};
const cert = await secretsManager.getSecretValue(params).promise();
}
var synthetics = require('Synthetics');
const log = require('SyntheticsLogger');
const syntheticsConfiguration = synthetics.getConfiguration();
const apiCanaryBlueprint = async function () {
const [ key, cert ] = await getKeyCert();
syntheticsConfiguration.setConfig({
restrictedHeaders: [], // Value of these headers will be redacted from logs and reports
restrictedUrlParameters: [] // Values of these url parameters will be redacted from logs and reports
});
I have also attached the GetSecretValue policy, in the IAM. to the role that running the Canary.
But from some reason, i'm getting an error message that related to Key Management Service (KMS):
AccessDeniedException: Access to KMS is not allowed Stack: AccessDeniedException: Access to KMS is not allowed
Which is very interesting, Because i did not encrypt the my secret in the AWS Secrets Manager (ASM).
which led me think, that maybe that could it be that Key Management Service (KMS) is encrypting secrets by default, if i didn't encrypt them from the first place?
I'm not sure how to solve this issue.
