, I am trying to deploy an Appflow CDK and get the following error:
Stack Deployments Failed: Error: The stack named cdk-l-appflow-12202022 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Unable to retrieve secrets for secret Id : arn:aws:secretsmanager:us-east-1:588799296974:secret:vipsfsecret-66dxxqk0BGck-sPRzQs due to access denied. Please ensure that AppFlow has access on secrets manager resource and KMS key used for encryption. (Service: Appflow, Status Code: 403, Request ID: 9aa02dee-db8c-46db-b495-8cb1392f510e)" (RequestToken: 47e0f482-6cd5-c7e6-1121-e107963c82e6, HandlerErrorCode: GeneralServiceException)
The appflow authentication secrets are in Secrets Manager. I have perimissioned it as such:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"Service" : "secretsmanager.amazonaws.com"
},
"Action" : [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:ListSecrets" ],
"Resource" : "*"
} ]
}
Does anyone have thoughts/suggestions please?
Tried creating a new KMS and provided Key policy at teamrole level. So permissions including kms:decrypt are given.
Related
I created a secret in AWS Secrets Manager. I want one IAM user and a federated user to be able to list, describe and retrieve the secret. I defined the following policy:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::123456789:user/IAMUser1",
"arn:aws:iam::123456789:role/UAT-Developer/dev_user1#mycompany.com"
]
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:ListSecrets" ],
"Resource" : "*"
} ]
}
but it is throwing This resource policy contains an unsupported principal.
I also tried the below syntax for Principal but did not work.
"Principal" : {
"AWS" : "arn:aws:iam::123456789:user/IAMUser1",
"AWS" : "arn:aws:iam::123456789:role/UAT-Developer/dev_user1#mycompany.com"
}
Please help me get this correct.
I got it. We have to put assumed-role instead of just role.
arn:aws:iam::123456789:assumed-role/UAT-Developer/dev_user1#mycompany.com
I am trying to create a backup plan, rule and vault using AWS CDK. After deploying the application I receive the following error in cloudformation console.
Resource handler returned message: "Insufficient privileges to perform this action. (Service: Backup, Status Code: 403, Request ID: xxxxxxx)" (RequestToken: xxxxxxxxx, HandlerErrorCode: GeneralServiceException)
My CDK bootstrap role definitely have access to backup. See policy document below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cdk",
"Effect": "Allow",
"Action": [
"lambda:*",
"logs:*",
"serverlessrepo:*",
"servicediscovery:*",
"ssm:*",
"cloudformation:*",
"kms:*",
"iam:*",
"sns:*",
"dynamodb:*",
"codepipeline:*",
"cloudwatch:*",
"events:*",
"acm:*",
"sqs:*",
"backup:*"
],
"Resource": "*"
}
]
}
Following are my CDK code snippets:
backup-rule
ruleName: 'myTestRuleName',
completionWindow: Duration.hours(1),
startWindow: Duration.hours(1),
scheduleExpression: events.Schedule.cron({
day: '*',
hour: '2'
}),
deleteAfter: Duration.days(90),
backup-vault
I tried without encryptionKey and also with a key that I have created through AWS backup web interface. None worked
new backup.BackupVault(this, `${id}-instance`, {
backupVaultName: props.backupVaultName,
// encryptionKey: this.key
})
backup-plan
new BackupPlan(scope, `${id}-instance`, {
backupPlanName: context.backupPlanName,
backupPlanRules: context.backupPlanRules,
// backupVault: context.backupVault
});
backup selection
I also tried without creating the role and letting AWS CDK create and use the default role.
NOTE: I have also tried created plan, rule and vault without resource selection to make sure, that the problem does not occur on the resource selection side.
const role = new iam.Role(this, 'Backup Access Role', { assumedBy: new iam.ServicePrincipal('backup.amazonaws.com') });
const managedPolicy = iam.ManagedPolicy.fromManagedPolicyArn(this, 'AWSBackupServiceRolePolicyForBackup', 'arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup');
role.addManagedPolicy(managedPolicy);
plan.backupPlan.addSelection('selection',
{
resources: [
BackupResource.fromDynamoDbTable(MyTable)
],
//role: role
}
)
``
I faced this problem too and adding permissions for backup-storage solved it for me! Referenced the AWSBackupFullAccess permissions
I am using the AWS-CDK to create a stack with an AWS-MSK cluster and a Lambda function which should be triggered, when a new message is available in a specific topic.
I already had it working nicely and then I decided to add clientAuthentication and now I am stuck. I am using SASL/SCRAM for authentication. I have created a custom encryption key via the KMS service and I am using that key in a Secret in the SecretsManager. I have associated that Secret with my MSK cluster and turned on clientAuthentication there.
I have also already created an interface endpoint in my VPC to the Lambda Service in order for the service to be able to access my cluster (again, this already worked when I hadn't activated clientAuthentication).
Now I am defining my Lambda listener handler function like this:
const listener = new aws_lambda.Function(this, 'ListenerHandler', {
vpc,
vpcSubnets: { subnetGroupName: 'ListenerPrivate' },
runtime: aws_lambda.Runtime.NODEJS_14_X,
code: aws_lambda.Code.fromAsset('lambda'),
handler: 'listener.handler'
});
listener.addToRolePolicy(new aws_iam.PolicyStatement({
effect: Effect.ALLOW,
actions: ['kafka:*', 'kafka-cluster:*', 'secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue'],
resources: [cluster.ref]
}));
const secretsFromLambdaAccessRole = new aws_iam.Role(this, 'AccessSecretsFromLambdaRoles', {
assumedBy: new aws_iam.ServicePrincipal('kafka.amazonaws.com')
});
secretsFromLambdaAccessRole.addToPolicy(new aws_iam.PolicyStatement({
effect: Effect.ALLOW,
actions: ['secretsmanager:DescribeSecret', 'secretsmanager:GetSecretValue'],
resources: [KAFKA_ACCESS_SECRET_ARN]
}));
listener.role?.addManagedPolicy(
aws_iam.ManagedPolicy
.fromAwsManagedPolicyName("service-role/AWSLambdaVPCAccessExecutionRole")
);
listener.role?.addManagedPolicy(
aws_iam.ManagedPolicy
.fromAwsManagedPolicyName("service-role/AWSLambdaMSKExecutionRole")
);
const kafkaAccessSecret = aws_secretsmanager.Secret
.fromSecretCompleteArn(this, 'kafkaAccessSecret', KAFKA_ACCESS_SECRET_ARN);
listener.addEventSource(new ManagedKafkaEventSource({
clusterArn: cluster.ref,
topic: "MyTopic",
startingPosition: StartingPosition.LATEST,
secret: kafkaAccessSecret,
}));
The secret also has policies assigned to it:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "AWSLambdaResourcePolicy",
"Effect" : "Allow",
"Principal" : {
"Service" : "lambda.amazonaws.com"
},
"Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ],
"Resource" : "arn:aws:secretsmanager:some-region:some-account:secret:AmazonMSK_some-secret"
}, {
"Sid" : "AWSKafkaResourcePolicy",
"Effect" : "Allow",
"Principal" : {
"Service" : "kafka.amazonaws.com"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "arn:aws:secretsmanager:some-region:some-account:secret:AmazonMSK_some-secret"
} ]
}
Now, when I try to deploy my lambda function via the CDK and it comes to the point, where it should add the event source mapping, I get this error:
Failed resources:
MskExampleStack | 17:23:22 | CREATE_FAILED | AWS::Lambda::EventSourceMapping | ListenerHandler/KafkaEventSource:MskExampleStackListenerHandler4711MyTopic (ListenerHandlerKafkaEventSourceMskExampleStackListenerHandler4711MyTopic0815)
Resource handler returned message: "Invalid request provided: Cannot access secret manager value arn:aws:secretsmanager:some-region:some-account:secret:AmazonMSK_dev-some-secret.
Please ensure the role can perform the 'secretsmanager:GetSecretValue' action on your broker in IAM. (Service: Lambda, Status Code: 400, Request ID: 123456789, Extended Request ID: null)" (RequestToken: 987654321, HandlerErrorCode: InvalidRequest)
I cannot figure out, what I am missing. What role is the error referring to? Where do I need to add the action "secretsmanager:GetSecretValue"? My user has complete Admin Rights.
You need the following:
kms permissions on the lambda role
secretsmanager permissions on the lambda role
(What I was missing) lambda.amazonaws.com in the key policy for your kms key
my setup:
lambda permissions:
- Effect: "Allow"
Action:
- kms:Decrypt
- kms:GenerateDataKey*
Resource:
- "*"
- Effect: "Allow"
Action:
- secretsmanager:GetSecretValue
Resource:
- "your secret arn"
KMS Policy:
{
"Sid": "Decrypt",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt",
],
"Resource": "*"
}
Amazon has a knack for writing about 500 needless words to document a feature and never document things around using KMS with that feature even though it seems to vary greatly.
We currently have AWS lambda functions retrieving secrets from the AWS secrets manager using the following resource permissions on the AWS Secret (the lambda function and secret belong to the same AWS account):
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111111111111:role/MyLambda-FunctionNameRole-1TG1EVGPEQ8TZ"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"secretsmanager:VersionStage" : "AWSCURRENT"
}
}
} ]
}
Due to more frequent secret lookups, I want to add secret caching using the AWS Go SecretsManager Caching, but am receiving the following error message:
AccessDeniedException: User: arn:aws:sts::111111111111:assumed-role/MyLambda-FunctionName-DNV2M7OYIFMX/MyLambda-FunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:DescribeSecret on resource: secrets_key_name
The secret arn prefix is:
arn:aws:secretsmanager:us-east-1
The code to create the caching manager:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretCache, _ := secretcache.New(
func(c *secretcache.Cache) {
c.Client = secretsmanager.New(session)
},
)
And code to retrieve the secret:
secretCache.GetSecretString(secrets_key_name)
I tried adding secretsManager:DescribeSecret to the actions in the secret resource permissions, as well as changing to secretsManager:*, but I'm still receiving the error message. I suspect it has to do with the
arn:aws:sts::111111111111:assumed-role
but I'm not sure why there is an assumed role being requested (the lambda function and secret in question both belong to the same aws account) or how to fix it. Any help is greatly appreciated!
edit: I was able to produce a similar error message directly using the SecretsManager API (without the caching client) by not setting the secret VersionStage, though the documentation states that not specifying should behave as if using "AWSCURRENT", which is desired. Thinking it might be similar, I switched my caching client code to the following, but still receive the same errors:
secretCache.GetSecretStringWithStage(secrets_key_name, "AWSCURRENT")
Turns out, this is apparently similar as mentioned in this issue - removing the condition from the secret resource policy fixes it:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
}
I'm not sure why calling GetSecretStringWithStage("my_secret_name","AWSCURRENT") didn't resolve the issue the same way adding VersionStage to the SecretsManager API call did... but that's for another day.
Thanks LRutten for the help figuring this out!
I am attempting to deploy a CloudFormation template that pulls in some parameters from SSM using the method described in this blog-post: https://aws.amazon.com/blogs/mt/integrating-aws-cloudformation-with-aws-systems-manager-parameter-store/
The relevant excerpt from the Parameters section of the CF template is:
"ZoneName" : {
"Type" : "AWS::SSM::Parameter::Value<String>",
"Description" : "DNS Hostname Zone",
"Default" : "/Deimos/ZoneName"
},
"ZoneId" : {
"Type" : "AWS::SSM::Parameter::Value<String>",
"Description" : "DNS Hostname Zone",
"Default" : "/Deimos/ZoneId"
},
However, I'm getting the following error when I attempt to deploy it (via CodePipeline):
Action execution failed
AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: d6756fbe-fd41-4ac5-93bd-56e5b397445e)
I've got a Role and Policy setup for CloudFormation that includes the following section to grant access to some parameter namespaces within SSM:
{
"Sid": "XonoticCFFetchParameters",
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*:<aws account #>:parameter/Deimos/*",
"arn:aws:ssm:*:<aws account #>:parameter/Installers/*",
"arn:aws:ssm:*:<aws account #>:parameter/Xonotic/*"
]
},
These seem to have been applied just fine, based on the use of
aws iam simulate-principal-policy --policy-source-arn "arn:aws:iam::<aws account #>:role/Xonotic-CloudFormationDeploy" --action-names "ssm:getParameters" --resource-arns "arn:aws:ssm:*:<aws account #>:parameter/Deimos/ZoneName"
{
"EvaluationResults": [
{
"EvalActionName": "ssm:getParameters",
"EvalResourceName": "arn:aws:ssm:*:<aws account #>:parameter/Deimos/ZoneName",
"EvalDecision": "allowed",
"MatchedStatements": [
{
"SourcePolicyId": "Xonotic-Deployment",
"StartPosition": {
"Line": 3,
"Column": 19
},
"EndPosition": {
"Line": 16,
"Column": 10
}
}
],
"MissingContextValues": []
}
]
}
So, the Role I'm using should have the access needed to fetch the parameter in question, but it's not working and I'm out of things to check.
Ok - so in this case it turns out there was a JSON parameters file that was part of the build pipeline that was overriding one of my parameters with an invalid value (it was putting the actual zone name in ZoneName).
Fixed that and parameters are now being passed to my build process just fine.