What are the correct resource permissions for AWS Lambda functions using AWS Golang SecretsManager Caching client?

huangapple
go评论81阅读模式
英文:

What are the correct resource permissions for AWS Lambda functions using AWS Golang SecretsManager Caching client?

问题

我们目前使用AWS Lambda函数从AWS Secrets Manager检索密钥,使用以下资源权限(Lambda函数和密钥属于同一AWS账户):

{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111111111111:role/MyLambda-FunctionNameRole-1TG1EVGPEQ8TZ"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"secretsmanager:VersionStage" : "AWSCURRENT"
}
}
} ]
}

由于更频繁的密钥查找,我想使用AWS Go SecretsManager Caching添加密钥缓存,但是我收到以下错误信息:
>AccessDeniedException: User: arn:aws:sts::111111111111:assumed-role/MyLambda-FunctionName-DNV2M7OYIFMX/MyLambda-FunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:DescribeSecret on resource: secrets_key_name

密钥ARN前缀为:
>arn:aws:secretsmanager:us-east-1

创建缓存管理器的代码如下:

session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretCache, _ := secretcache.New(
func(c *secretcache.Cache) {
c.Client = secretsmanager.New(session)
},
)

检索密钥的代码如下:

secretCache.GetSecretString(secrets_key_name)

我尝试在密钥资源权限的操作中添加secretsManager:DescribeSecret,以及更改为secretsManager:*,但仍然收到错误消息。我怀疑问题与
>arn:aws:sts::111111111111:assumed-role

有关,但我不确定为什么会请求一个假定角色(涉及的Lambda函数和密钥都属于同一AWS账户),也不知道如何解决。非常感谢您的帮助!

编辑:我尝试直接使用SecretsManager API(不使用缓存客户端)生成类似的错误消息,方法是不设置密钥的VersionStage,尽管文档中指定不设置应该与使用"AWSCURRENT"相同,这是期望的行为。考虑到这一点,我将缓存客户端代码更改为以下内容,但仍然收到相同的错误:

secretCache.GetSecretStringWithStage(secrets_key_name, "AWSCURRENT")

英文:

We currently have AWS lambda functions retrieving secrets from the AWS secrets manager using the following resource permissions on the AWS Secret (the lambda function and secret belong to the same AWS account):

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::111111111111:role/MyLambda-FunctionNameRole-1TG1EVGPEQ8TZ"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*",
    "Condition" : {
      "ForAnyValue:StringEquals" : {
        "secretsmanager:VersionStage" : "AWSCURRENT"
      }
    }
  } ]
}

Due to more frequent secret lookups, I want to add secret caching using the AWS Go SecretsManager Caching, but am receiving the following error message:
>AccessDeniedException: User: arn:aws:sts::111111111111:assumed-role/MyLambda-FunctionName-DNV2M7OYIFMX/MyLambda-FunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:DescribeSecret on resource: secrets_key_name

The secret arn prefix is:
>arn:aws:secretsmanager:us-east-1

The code to create the caching manager:

session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretCache, _ := secretcache.New(
		func(c *secretcache.Cache) {
			c.Client = secretsmanager.New(session)
		},
	)

And code to retrieve the secret:

secretCache.GetSecretString(secrets_key_name)

I tried adding secretsManager:DescribeSecret to the actions in the secret resource permissions, as well as changing to secretsManager:*, but I'm still receiving the error message. I suspect it has to do with the
>arn:aws:sts::111111111111:assumed-role

but I'm not sure why there is an assumed role being requested (the lambda function and secret in question both belong to the same aws account) or how to fix it. Any help is greatly appreciated!

edit: I was able to produce a similar error message directly using the SecretsManager API (without the caching client) by not setting the secret VersionStage, though the documentation states that not specifying should behave as if using "AWSCURRENT", which is desired. Thinking it might be similar, I switched my caching client code to the following, but still receive the same errors:

secretCache.GetSecretStringWithStage(secrets_key_name, "AWSCURRENT")

答案1

得分: 0

原来,这显然与这个问题中提到的情况相似(https://github.com/aws/aws-cli/issues/5031)- 从密钥资源策略中删除条件可以解决问题:

{
"Version" : "2012-10-17",
"Statement" : [{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
}]
}

我不确定为什么调用GetSecretStringWithStage("my_secret_name","AWSCURRENT")没有像添加VersionStage到SecretsManager API调用那样解决问题...但这是另一天的事情。

感谢LRutten帮助解决这个问题!

英文:

Turns out, this is apparently similar as mentioned in this issue - removing the condition from the secret resource policy fixes it:

 {
      "Version" : "2012-10-17",
      "Statement" : [ {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
        },
        "Action" : "secretsmanager:GetSecretValue",
        "Resource" : "*"
    }

I'm not sure why calling GetSecretStringWithStage("my_secret_name","AWSCURRENT") didn't resolve the issue the same way adding VersionStage to the SecretsManager API call did... but that's for another day.

Thanks LRutten for the help figuring this out!

huangapple
  • 本文由 发表于 2021年9月10日 00:43:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/69121963.html
  • amazon-web-services
  • aws-lambda
  • aws-secrets-manager
  • go
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定