I have a simple AWS application that runs a lambda function and I am attempting to fetch a secrets object where I have stored some auth tokens.
When I invoke my function even though I have created a resource policy that specifies the ARN and the function that I want to run, I keep getting an error message saying that I am not authorised to access the resource.
I will post my policy below but with some hardcoded values for security purposes:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "arn:aws:secretsmanager:Region:AccountId:secret:SecretName-123123",
"Effect" : "Allow",
"Principal" : {
"Service" : "secretsmanager.amazonaws.com"
}
} ]
}
The policy is saved correctly and there are no syntax errors. Is there anything else that I need to include ?
Initially there was a syntax error that prevented me from saving the policy. The issue was solved by adding the "Principal" property. However the access denied error is still there.
As you are using resource-based policy to attach a permissions policy to an AWS Secrets Manager secret, you need to specify the ARN of your Lambda function as the Principle in the resource-based policy to your secret.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountId:role/LamdaRoleToAccessSecrets"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:Region:AccountId:secret:SecretName-123123"
}
]
}
Hope it helps.