I have built a .NET lambda api. The API works and uses secrets manager when run from the sam cli (after giving my profile permissions), but it is unable to use secrets manager after deployment. I get a 500 error code whenever I try to access the API, and the logs confirm that the problem is the secrets manager. I have a profile that has permissions that I have added under the config tab on the AWS Lambda console. The following is my permissions (with the ARNS removed)
"Version": "blah",
"Id": "default",
"Statement": [
{
"Sid": "sid",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "ARN-Gateway",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn"
}
}
},
{
"Sid": "sid-profile",
"Effect": "Allow",
"Principal": {
"AWS": "arn"
},
"Action": "lambda:InvokeFunction",
"Resource": "profile-arn"
}
]
And the following is the permissions that sid-profile has
"Statement": [
{
"Sid": "secrets-sid",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"secret-arn-2",
"secret-arn-1"
]
}
The following is the error code
Unhandled exception. Amazon.SecretsManager.AmazonSecretsManagerException: User: arn-function is not authorized to perform: secretsmanager:GetSecretValue on resource: secret-1 because no identity-based policy allows the secretsmanager:GetSecretValue action
This is especially confusing since the IAM profile attached specifcally references GetSecretValue. Any help would be appreciated!
