Menu
I have a very specific AWS Lambda function that I want to make the Principal to AWS Secret Manager permission policy so it can retrieve secrets.
I want to specifically give this permission only to my Lambda. I created a role and assigned that role to the policy.
However, I want to be able to write the Principal in explicitly (for learning and to know what it does on first sight).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Lambda Get Secret File",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:role/My-Lambda"
},
"Resource": "arn:aws:secretsmanager:us-west-2:XXXXXX:secret:My-Secret"
}
]
}
This won't be allowed. What is the way to write this in?
Everything I see is for Lambda to rotate, I don't want to rotate.
908
It's important when working with AWS identity/permissions to understand that there are two types of policy:
Identity-based policies are attached to an IAM user, group, or role. These policies let you specify what that identity can do. These policies cannot have a Principal element because the principal that the policy applies to is implicitly the IAM principal presenting the credentials.
Resource-based policies are attached to an AWS resource, such as an S3 bucket, KMS key, or Lambda function. These policies specify who can access the given resource and what they can do. Most commonly, you will see these with S3 buckets but they can also be associated with other resource types. These policies must have a Principal element in order to identify to whom the policy statement applies.
A resource-based policy can serve as an additional layer of security, allowing a resource owner to explicitly deny certain IAM principals from accessing a resource, even if those IAM principals have permission.
Typically, either an identity-based policy or a resource-based policy can permit access to a given resource (you would not need to permit access in both policies). Per the documentation:
If an action is allowed by an identity-based policy, a resource-based policy, or both, then AWS allows the action. An explicit deny in either of these policies overrides the allow.
There are a small number of situations in which both an identity-based policy and a corresponding resource-based policy must allow an action for it to be permitted. Use of KMS keys for encryption/decryption is one example of this.
In your case, you should be configuring a resource-based policy for the Secrets Manager secret, controlling who has access to the secret.
I was able to add the following policy to a Secrets Manager secret (I saved this policy in a file named mysecret.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "secureme",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/mylambdarole"
},
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysecret-xyz"
}
]
}
You can't use the AWS Console to apply this policy to the secret, as far as I know, but you can use the awscli or an SDK. I used the awscli, a follows:
aws secretsmanager put-resource-policy \
--secret-id mysecret \
--resource-policy file://mysecret.json
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
