I am stuck configuring my AWS Lambda to access a secret. I have done it many times, all the existing resources works properly, but now a new one does not want to.
Stack: I have a secret in secretsmanager and a lambda (in vpc)
What I want: read the secret from lambda.
Role of the lambda has the following policy:
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx",
"Effect": "Allow"
}
]
}
But even if I give full admin permission for this role, I am not allowed to read the secret from lambda. I get the following error message:
User: arn:aws:sts::xxxxxxxxx:assumed-role/xxxxxxx/yyyyyyyy is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx
I have other lambdas that work, but it is a bit terrifying that re-deploying my cloudformation stack could break the whole application due to this.
I assume there was some change at AWS side, existing resources got changed to be compatible, but now I am not able to access any new or already existing secrets, even if I can see at the lambda configuration that I have permission.
Does anyone have any idea what is missing? Thanks!
Turned out that I missed one place to check. When I dig deeper, I found that this whole thing happens only when the Lambda is tied to a VPC, but removing the VPC config made it work.
For me the missing piece was the endpoint policy for the secretsmanager (that allows me to access secretsmanager from VPC)