如何将策略添加到 AWS SAM 文件以在 Lambda 中将值放入 Secrets Manager

huangapple go评论62阅读模式
英文:

How to add policy to AWS SAM file to put value in secrets manager with Lambda

问题

Policies:
        - AWSXrayWriteOnlyAccess
        - AWSSecretsManagerGetSecretValuePolicy:
            SecretArn: !Sub 
        - AWSSecretsManagerRotationPolicy:
            SecretArn: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${EnvironmentTagName}/*
            Effect: Allow
            FunctionName: !Sub ${AWS::StackName}-****
            Action:
              - secretsmanager:UpdateSecret
              - secretsmanager:GetSecretValue
              - secretsmanager:PutSecretValue
            Resource:

我想通过 Lambda 更改密钥的值,但我收到以下错误消息:

> AccessDeniedException: 用户:
> arn:aws:sts::*:assumed-role/LambdaName 未被授权执行 secretsmanager:PutSecretValue 操作,因为没有身份策略允许该操作。

英文:
Policies:
        - AWSXrayWriteOnlyAccess
        - AWSSecretsManagerGetSecretValuePolicy:
            SecretArn: !Sub 
        - AWSSecretsManagerRotationPolicy:
            SecretArn: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/${EnvironmentTagName}/*
            Effect: Allow
            FunctionName: !Sub ${AWS::StackName}-****
            Action:
              - secretsmanager:UpdateSecret
              - secretsmanager:GetSecretValue
              - secretsmanager:PutSecretValue
            Resource:

I want to change secrets value by lambda , but I got this error:-

> AccessDeniedException: User:
> arn:aws:sts:::assumed-role/LambdaName is not authorized to
> perform: secretsmanager:PutSecretValue on resource: /
**/API_TOKEN
> because no identity-based policy allows the
> secretsmanager:PutSecretValue action

答案1

得分: 1

以下是翻译好的部分:

有3种方法可以为AWS SAM模板中的Lambda函数指定策略:

  1. AWS托管策略名称
  2. AWS SAM策略模板
  3. 内联策略文件定义

AWSSecretsManagerRotationPolicy 是AWS SAM策略模板,已经包括了 secretsmanager:DescribeSecretsecretsmanager:GetSecretValuesecretsmanager:UpdateSecretVersionStage,所以您不需要显式指定这些操作,可以直接使用策略模板:

MyFunction:
  Type: 'AWS::Serverless::Function'
  Properties:
    CodeUri: ${codeuri}
    Handler: hello.handler
    Runtime: python2.7
    Policies:
      - AWSSecretsManagerRotationPolicy: # AWS SAM策略模板
          SecretArn: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"

如果您需要为Lambda函数明确指定策略(内联),可以像这样操作:

Policies:
	- AWSXrayWriteOnlyAccess # AWS托管策略
    - Version: '2012-10-17' # 内联策略文件
      Statement:
        - Effect: Allow
          Action:
            - secretsmanager:UpdateSecret
            - secretsmanager:GetSecretValue
            - secretsmanager:PutSecretValue
          Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"

有用的资源:

英文:

There are 3 ways to specify policies for a Lambda function in the AWS SAM template:-

  1. AWS managed policy named
  2. AWS SAM policy template
  3. Inline policy document defined

AWSSecretsManagerRotationPolicy is AWS SAM Policy template that already includes secretsmanager:DescribeSecret, secretsmanager:GetSecretValue, secretsmanager:PutSecretValue, secretsmanager:UpdateSecretVersionStage, so you don't need to explicitly specify these actions, you can simply use the policy template directly:-

MyFunction:
  Type: 'AWS::Serverless::Function'
  Properties:
    CodeUri: ${codeuri}
    Handler: hello.handler
    Runtime: python2.7
    Policies:
      - AWSSecretsManagerRotationPolicy: # AWS SAM Policy template
          SecretArn: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"

In case you need to specify the policies(inline) explicitly for the Lambda function, you can do like so:-

Policies:
	- AWSXrayWriteOnlyAccess # AWS Managed Policy
    - Version: '2012-10-17' # Inline Policy Document
      Statement:
        - Effect: Allow
          Action:
            - secretsmanager:UpdateSecret
            - secretsmanager:GetSecretValue
			- secretsmanager:PutSecretValue
          Resource: !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:your_secret_value"

Useful Resources:-

huangapple
  • 本文由 发表于 2023年5月17日 23:44:44
  • 转载请务必保留本文链接:https://go.coder-hub.com/76273915.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定