Secrets Manager - rotate secret with lambda in another account

Question

In a project I'm working on, the secrets are stored in a centralized company Secrets Manager, in a specific AWS account (SECRETS_ACCOUNT).

Project resources (including lambda functions) are in a project specific account (PROJECT_ACCOUNT).

I'm trying to set up secrets rotation, but I get stuck on this error message:

AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.

The lambda resource-based policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "SecretsManager",
      "Effect": "Allow",
      "Principal": {
        "Service": "secretsmanager.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-west-1:PROJECT_ACCOUNT:function:secret-rotation"
    }
  ]
}

The lambda role trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I don't know if it matters, both accounts are in the same region.

Did I miss something? Do I need to add additional permissions to allow a Secrets Manager from another account to invoke the lambda? Do the lambda and the secret have to be in the same account?

Thanks in advance,

Answer 1

Please run the below command to resolve the error "AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com." in AWS Cli

aws lambda add-permission --function-name arn:aws:lambda:us-east-1:757147756798:function:"secret name here without quotes" --principal secretsmanager.amazonaws.com --action lambda:InvokeFunction --statement-id SecretsManagerAccess