We currently have AWS lambda functions retrieving secrets from the AWS secrets manager using the following resource permissions on the AWS Secret (the lambda function and secret belong to the same AWS account):
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111111111111:role/MyLambda-FunctionNameRole-1TG1EVGPEQ8TZ"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"secretsmanager:VersionStage" : "AWSCURRENT"
}
}
} ]
}
Due to more frequent secret lookups, I want to add secret caching using the AWS Go SecretsManager Caching, but am receiving the following error message:
AccessDeniedException: User: arn:aws:sts::111111111111:assumed-role/MyLambda-FunctionName-DNV2M7OYIFMX/MyLambda-FunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:DescribeSecret on resource: secrets_key_name
The secret arn prefix is:
arn:aws:secretsmanager:us-east-1
The code to create the caching manager:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretCache, _ := secretcache.New(
func(c *secretcache.Cache) {
c.Client = secretsmanager.New(session)
},
)
And code to retrieve the secret:
secretCache.GetSecretString(secrets_key_name)
I tried adding secretsManager:DescribeSecret to the actions in the secret resource permissions, as well as changing to secretsManager:*, but I'm still receiving the error message. I suspect it has to do with the
arn:aws:sts::111111111111:assumed-role
but I'm not sure why there is an assumed role being requested (the lambda function and secret in question both belong to the same aws account) or how to fix it. Any help is greatly appreciated!
edit: I was able to produce a similar error message directly using the SecretsManager API (without the caching client) by not setting the secret VersionStage, though the documentation states that not specifying should behave as if using "AWSCURRENT", which is desired. Thinking it might be similar, I switched my caching client code to the following, but still receive the same errors:
secretCache.GetSecretStringWithStage(secrets_key_name, "AWSCURRENT")
Turns out, this is apparently similar as mentioned in this issue - removing the condition from the secret resource policy fixes it:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
}
I'm not sure why calling GetSecretStringWithStage("my_secret_name","AWSCURRENT") didn't resolve the issue the same way adding VersionStage to the SecretsManager API call did... but that's for another day.
Thanks LRutten for the help figuring this out!