英文:
How to add policy to AWS SAM file to put value in secrets manager with Lambda
问题
Policies:
- AWSXrayWriteOnlyAccess
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: !Sub
- AWSSecretsManagerRotationPolicy:
SecretArn: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${EnvironmentTagName}/*
Effect: Allow
FunctionName: !Sub ${AWS::StackName}-****
Action:
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
Resource:
我想通过 Lambda 更改密钥的值,但我收到以下错误消息:
> AccessDeniedException: 用户:
> arn:aws:sts::*:assumed-role/LambdaName 未被授权执行 secretsmanager:PutSecretValue 操作,因为没有身份策略允许该操作。
英文:
Policies:
- AWSXrayWriteOnlyAccess
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: !Sub
- AWSSecretsManagerRotationPolicy:
SecretArn: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${EnvironmentTagName}/*
Effect: Allow
FunctionName: !Sub ${AWS::StackName}-****
Action:
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
Resource:
I want to change secrets value by lambda , but I got this error:-
> AccessDeniedException: User:
> arn:aws:sts:::assumed-role/LambdaName is not authorized to
> perform: secretsmanager:PutSecretValue on resource: /**/API_TOKEN
> because no identity-based policy allows the
> secretsmanager:PutSecretValue action
答案1
得分: 1
以下是翻译好的部分:
有3种方法可以为AWS SAM模板中的Lambda函数指定策略:
- AWS托管策略名称
- AWS SAM策略模板
- 内联策略文件定义
AWSSecretsManagerRotationPolicy 是AWS SAM策略模板,已经包括了 secretsmanager:DescribeSecret、secretsmanager:GetSecretValue 和 secretsmanager:UpdateSecretVersionStage,所以您不需要显式指定这些操作,可以直接使用策略模板:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: ${codeuri}
Handler: hello.handler
Runtime: python2.7
Policies:
- AWSSecretsManagerRotationPolicy: # AWS SAM策略模板
SecretArn: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"
如果您需要为Lambda函数明确指定策略(内联),可以像这样操作:
Policies:
- AWSXrayWriteOnlyAccess # AWS托管策略
- Version: '2012-10-17' # 内联策略文件
Statement:
- Effect: Allow
Action:
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"
有用的资源:
英文:
There are 3 ways to specify policies for a Lambda function in the AWS SAM template:-
- AWS managed policy named
- AWS SAM policy template
- Inline policy document defined
AWSSecretsManagerRotationPolicy is AWS SAM Policy template that already includes secretsmanager:DescribeSecret, secretsmanager:GetSecretValue, secretsmanager:PutSecretValue, secretsmanager:UpdateSecretVersionStage, so you don't need to explicitly specify these actions, you can simply use the policy template directly:-
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: ${codeuri}
Handler: hello.handler
Runtime: python2.7
Policies:
- AWSSecretsManagerRotationPolicy: # AWS SAM Policy template
SecretArn: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"
In case you need to specify the policies(inline) explicitly for the Lambda function, you can do like so:-
Policies:
- AWSXrayWriteOnlyAccess # AWS Managed Policy
- Version: '2012-10-17' # Inline Policy Document
Statement:
- Effect: Allow
Action:
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"
Useful Resources:-
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论