'How can I restrict a secret to be accessed only by a certain lambda function?
I have the following use case: I have stored a secret on the Secret Store Manager and I want to make available the value of that secret only for a lambda. The resource based policy of the secret looks like:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : "arn:aws:iam::8999990:role/service-role/test-get-secret-role-68hr4lv6"
},
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
],
"Resource" : "arn:aws:secretsmanager:eu-west-1:99999889:secret:test-test-LLCii9"
} ]
}
But for the lambda is still not allowed to access the secret, seeing as I also added the permissions for SecretManager on the lambda execution role. Is there another approach for this?
Updated:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6", "arn:aws:sts::254386565891:assumed-role/test-get-secret-role-68hr4lv6/test-get-secret", "arn:aws:sts::254386565891:root" ]
},
"Action" : [ "secretsmanager:CancelRotateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetRandomPassword", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "secretsmanager:PutSecretValue", "secretsmanager:RemoveRegionsFromReplication", "secretsmanager:ReplicateSecretToRegions", "secretsmanager:RestoreSecret", "secretsmanager:RotateSecret", "secretsmanager:StopReplicationToReplica", "secretsmanager:TagResource", "secretsmanager:UntagResource", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage" ],
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
}, {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
} ]
}
amazon-web-servicesSources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|