I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:
[ERROR] ClientError: An error occurred (AccessDeniedException)
when calling the DescribeSecret operation:
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret
on resource: MysecretARN
I know something is wrong with my execution role, so I checked my policy attached to this role, it has:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"lambda:InvokeFunction",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RotateSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxx",
"arn:aws:lambda:us-east-1:xxx"
]
}
]
}
I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help
I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)
Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'
but I don't see MysecretARN in the list of resources you allow the lambda to access
Hi you are right, I only pasted the secret name instead of the ARN (slightly different, very hard to spot), I'm gonna try again. A follow-up question: Do I need to add KMS policies for the execution role?