How do I add Secrets Manager IAM permission?

Question

I'm reading the CDK docs about the SecretsManager and I'm not sure if I've mis-understood, but what I thought would work from their example doesn't seem to grant the permission I expected. Essentially I have a stack that contains some Lambdas, and I'd like all of them to be able to Read two secrets from the SecretsManager.

class CdkStack extends cdk.Stack {
    /**
     *
     * @param {cdk.Construct} scope
     * @param {string} id
     * @param {cdk.StackProps=} props
     */
    constructor(scope, id, props) {
        super(scope, id, props);

        // eslint-disable-next-line no-new
        new APIServices(this, "APIServices");

        const role = new iam.Role(this, "SecretsManagerRead", {
            assumedBy: new iam.AccountRootPrincipal(),
        });

        const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
        const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");

        dbReadSecret.grantRead(role);
        dbWriteSecret.grantRead(role);
    }
}

If I understood it correctly I should simply create this role and give it permissions to access secrets? My Lambda's still however failed when I tried to run them. Do I need to do anything else not mentioned in the docs I was reading about assigning that role to the Lambdas explicitly too?

Answer 1

Depending on your actual context there are two possible variants.

1. Import existing role

If the Lambda function has been predefined (e.g. in a different stack), you can add the additional permissions to the existing Lambda execution role by importing it into this CDK stack first.

class CdkStack extends cdk.Stack {
    constructor(scope, id, props) {
        // ...

        // Import the existing role into the stack
        const roleArn = 'arn:aws:iam::123456789012:role/MyExistingLambdaExecutionRole'
        const role = iam.Role.fromRoleArn(this, 'Role', roleArn, {
            mutable: true,
        });

        const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
        const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");

        dbReadSecret.grantRead(role);
        dbWriteSecret.grantRead(role);
    }
}

For more information regarding the usage of the aws-iam CDK module, here's the link to the documentation. Here, you can learn more about the Lambda Execution Role itself.

2. Lambda function defined as part of stack

If the lambda function has been defined somewhere in this stack, you can simply attach the permissions to the Lambda function through its reference using dbReadSecret.grantRead(lambda.role) and dbWriteSecret.grantRead(lambda.role) respectively.

class CdkStack extends cdk.Stack {
    constructor(scope, id, props) {
        // ...

        // Create the function or retrieve the reference if 
        // it has been defined somewhere else in the stack

        const lambda = ...

        const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
        const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");

        dbReadSecret.grantRead(lambda.role);
        dbWriteSecret.grantRead(lambda.role);
    }
}

Please have a look at the answer to this question for reference.