Search code examples
amazon-web-serviceschalice

CORS issues when calling AWS secrets manager from Lambda function


I have an API written in python/chalice deployed as a Lambda which gets called from a web app. I thought I had the usual CORS issues fixed, at least, things are working with no problems and have done for a while. Being a good boy I decided it was time to move some hardcoded credentials out of the code into AWS Secrets Manager. Everything is still working well in my local environment (probably because both the API and app are on localhost) with the credentials correctly pulled out of Secrets Manager. However, when I deploy the API the web app is now a reporting CORS error:

Access to XMLHttpRequest at 'https://api' from origin 'https://webapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I've tracked the source of the problem down to my call to boto3.session.Session().client().get_secret_value(). If I don't make this call - no CORS errors.

Here's the relevant snippet of my API code:

@app.route('/get/table', methods=['GET'], cors=True)
def GetTable():

    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name="eu-west-2"
    )
    get_secret_value_response = client.get_secret_value(SecretId="prod/xxxx")

So, what's going wrong? Am I missing something simple?


Solution

  • I got there in the end. The root cause was not CORS but the fact that the Lambda uses a VPC. The fact that it was working locally (not sure how - perhaps something to do with the ssh tunnel I have set up for DB access) just added to the fog of confusion!

    After much banging of my head on the keyboard this is what got it working:

    • Setting up of a VPC endpoint for Secrets Manager for the VPC
    • Adding an inbound rule to the VPC security group: All TCP for the security group (could perhaps be rationalised but I don't know what to)
    • Modify the IAM permissions for the Lamdba role to add Secrets Manager.

    -- edit

    Oh, the fun continues. The above works well... until I deploy a new version of the Lambda with Chalice. It seems that, by default, Chalice is generating a new policy for every deploy and even though it looks correct in the IAM console (Secrets Manager policy present) it's not working!

    I've had to copy the IAM policy summary from the role (when it's working) and create a new policy.json file in my local .chalice folder. When deploying, either specifying chalice deploy --no-autogen-policy or adding "autogen_policy": false to .chalice/config.json seems to finally fix things.