m90*_*m90 9 amazon-web-services amazon-iam aws-lambda serverless-framework aws-secrets-manager
使用无服务器框架,我尝试构建一个 Lambda 函数,该函数会定期轮换存储在 AWS Secrets Manager 中的秘密。
我在配置 Secret Manager 执行 Lambda 所需的角色时遇到问题。在我的serverless.yml我定义了以下资源:
resources:
Resources:
RotateKeysRole:
Type: AWS::IAM::Role
Properties:
RoleName: rotate-keys-role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- secretsmanager.amazonaws.com
Action: sts:AssumeRole
并将此角色附加到轮换 Lambda,如下所示:
functions:
rotateKeys:
handler: lambdas.rotate_keys.handler
role: RotateKeysRole
然而,当我尝试设置 Secrets Manager 以使用此 Lambda 来轮换密钥时,我会收到以下错误消息:
Secrets Manager 无法调用指定的 Lambda 函数。确保函数策略授予对主体 secretsmanager.amazonaws.com 的访问权限
这让我感到困惑,因为指定了这个主体。检查 IAM 控制台中的角色并没有发现任何我觉得有问题的地方。
在这种情况下如何正确配置角色设置?
小智 10
我今天遇到了同样的问题。我运行了这个,它对我有用:
aws lambda add-permission \
--function-name ARN_of_lambda_function \
--principal secretsmanager.amazonaws.com \
--action lambda:InvokeFunction \
--statement-id SecretsManagerAccess
https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html
文档中解释了为轮换 AWS Secrets Manager 秘密的 lambda 函数设置权限的过程。[1]
简而言之,您需要两个步骤:
<function-name-with-first-letter-uppercase>LambdaFunction.注意:在DependsOn属性中引用了函数名称。它也在条件StringEquals和属性FunctionName 中引用为:arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys。如果您更改函数名称,请记住更改它们。
serverless.yml 文件应如下所示:
service:
name: <your-service-name>
provider:
name: aws
region: '<your-region>'
custom:
region: ${self:provider.region}
accountId: <your-account-id>
resources:
Resources:
FunctionRole:
Type: AWS::IAM::Role
Properties:
RoleName: basic-function-role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: rotateKeysPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
- secretsmanager:UpdateSecretVersionStage
Resource: '*'
Condition:
StringEquals:
'secretsmanager:resource/AllowRotationLambdaArn': "arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys"
- Effect: Allow
Action:
- secretsmanager:GetRandomPassword
Resource: '*'
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeNetworkInterfaces
Resource: '*'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
LambdaInvokePermission:
Type: AWS::Lambda::Permission
DependsOn: RotateKeysLambdaFunction
Properties:
FunctionName: "arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys"
Action: lambda:InvokeFunction
Principal: 'secretsmanager.amazonaws.com'
functions:
rotateKeys:
handler: lambdas.rotate_keys.handler
role: FunctionRole
你必须更换<your-service-name>,<your-region>,<your-account-id>并使用如上传您的轮换代码package -> include属性。
注意:有用于更新机密的 lambda 函数模板。[2][3]
还请记住,为能够通过网络访问 AWS Secrets Manager 服务的 lambda 函数正确配置您的 VPC。[4]
[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html
[2] https://docs.aws.amazon.com/secretsmanager/latest/userguide /rotating-secrets-create-generic-template.html
[3] https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas
[4] https://docs.aws.amazon.com /secretsmanager/latest/userguide/rotation-network-rqmts.html
| 归档时间: |
|
| 查看次数: |
6270 次 |
| 最近记录: |