Lambda function can't access Secrets Manager

Question

I wrote a lambda function to access a database so the first step is to get secrets from AWS Secrets Manager. I have a private VPC as well as subnets, NAT Gateway, and security group associated with the lambda function. I also have secretsmanager.Secret.grantRead(lambda_exec_role) so the lambda should have access to Secrets Manager.

For some reason when I test it in API Gateway, I got "errno": "ETIMEDOUT" and "code": "NetworkingError" in CloudWatch. And from the printed log I had in the API, getting secrets was failed.

I also tried to add a VPC endpoint for Secrets Manager as in here, but still got the same error.

Appreciated if anyone here could help me with this or give some hints.

Many thanks!

Answer 1

I had trouve with a lambda getting secret content too.

They are several things you can try :

#1 Make sure you have permission to get the secret value, I'll give you mine for a working configuration :

• Allow:secretsmanager:GetSecretValue on your secret
• Allow:secretsmanager:DescribeSecret on your secret
• Allow:secretsmanager:ListSecrets on all ressources

#2 I had trouble too with my VPC and subnets. If misconfugred, you won't be able to call Secret Manager API.

• Switch to no VPC for your lambda and check if you can get your secret OK. If it works then it means you have a problem with your VPC/subnet configuration.
• Check your subnet configuration :
  • On public subnet, you can configure a specific endpoint for secret manager, though I couldn't make it work, don't know why.
  • On private subnet, you nea to configure a NAT Gateway to be able to call for Secret Manager API.

Hoping it could help someone someday. :)