Menu
Error: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com
I'm using Secret Manager to store my key for verifying JWTs.
My planned configuration is to rotate deprecate the keys with the following logic:
my secret looks like this:
{
current:'my-current-secret',
previous:'my-previous-secret',
alg:'encoding alg',
}
*It seemed like overkill to use two secrets and rotating them -- I'm only keeping a memory of the previous token to handle fringe cases for a hand-off. If auth fails I'll check if it verifies with the previous, if it does it'll return an updated cookie using the current key
createSecret:
putSecretValue({
current: getRandomPassword(...),
previous: getSecretValue(...)['current'],
alg: env.param ? env.param : getSecretValue(...)['alg']
})
I'm not using setSecret, testSecret, finishSecret
I'm not using serverless (I will at some point, but I wanted to familiarize myself w/ AWS/GUI first before short-cutting w/ the CLI) I've looked at:
I can't figure out what IAM setting I'm missing.
When I try to set the rotation lambda:
This flashes (So quickly, I had to record my screen to take a look):
And I immediately get the following error:
I started by giving the lambda full control of secrets manager and lambdas to work backwards into minimal controls, but even throwing the kitchen sink at it I couldn't get it to work:
{
"permissionsBoundary": {},
"roleName": "secrets_manager-role-REDACTED",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:REDACTED"
}
]
},
"name": "ReadWriteREDACTEDSecret",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/ReadWriteREDACTEDSecret"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:us-east-1:REDACTED:function:secrets_manager"
}
]
},
"name": "invoke_secrets_manager_lambda",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/invoke_secrets_manager_lambda"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:REDACTED:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:REDACTED:log-group:/aws/lambda/secrets_manager:*"
]
}
]
},
"name": "AWSLambdaBasicExecutionRole-REDACTED",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/service-role/AWSLambdaBasicExecutionRole-REDACTED"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:CreateTopicRule",
"iot:DescribeEndpoint",
"iot:GetTopicRule",
"iot:ListPolicies",
"iot:ListThings",
"iot:ListTopicRules",
"iot:ReplaceTopicRule",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"kms:ListAliases",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:ListQueues",
"sqs:SendMessage",
"tag:GetResources",
"xray:PutTelemetryRecords",
"xray:PutTraceSegments"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaFullAccess",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
}
],
"trustedEntities": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
}
My lambda trust policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
308
Rotation is the process of periodically updating a secret. If you don't change your secrets for a long period of time, the secrets become more likely to be compromised. We recommend that you rotate your secrets every 30 days.
In order to grant a Lambda function access to Secrets Manager, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the secrets.
You can rotate your secrets using an AWS-provided Lambda rotation function, or create a custom Lambda rotation function. Previously, you could only specify the rotation interval in days for automatic rotation. AWS Secrets Manager would then rotate the secret within the last 24 hours of the scheduled rotation interval.
What is Secret Key Rotation? Secret key rotation has been added to Secret Server as of version 8.8. 000018. It is the process by which the encryption key, used for securing Secret data, is changed and Secret data is re-encrypted. Each Secret receives a new, unique AES-256 encryption key.
After combing through the aws gui for ~10 hours and googling extensively I came across a s/o post for a different resource that linked to the docs saying that a lambda's function policy cannot be set in the gui.
I ran the following command in the cli and everything worked:
aws lambda add-permission \
--function-name secrets_manager \
--principal secretsmanager.amazonaws.com \
--action lambda:InvokeFunction \
--statement-id SecretsManagerAccess
--function-name secrets_manager is because my lambda function is named secrets_manager
source:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
88
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With