I have created a lambda function which I intend to serve as a secret rotation function to be used by the secrets manager, but when I try to add this function as a rotation function in the secrets manager I get the error "Secrets Manager cannot invoke the specified lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com"
but I have already allowed secrets manager to invoke the function in the functions resource based policy, this is what I have defined
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "Secret-Manager-Access-To-fun_SSH-function",
"Effect": "Allow",
"Principal": {
"Service": "secretsmanager.amazonaws.com"
},
"Action": "lambda:Invoke",
"Resource": "arn:aws:lambda:us-east-1:296808031351:function:fun_ssh"
}
]
}
I am unable to understand what I am missing, how do I get this to work?
TIA
A reason could be that you use incorrect action: lambda:Invoke.
The correct action of invoking lambda function is lambda:InvokeFunction.
Related
I am trying to figure out if it is possible to design an AWS IAM role that would dynamically grant permission to resource based on the name of the calling resource. For example I currently have a role that grants a Lambda function permission to create and write CloudWatch logs, which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CWLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
}
}
I am wondering if there is a way to substitute the string MyLambdaFunction for the name of the calling Lambda function using some ${aws:NameOfTheLambdaFunction} variable, so that I can have a generic policy allowing functions to write only to their specific CW log groups that I can attach to different Lambda roles - with the resource statement looking like: "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/${aws:NameOfTheLambdaFunction}*"
Is something like this possible?
You're referring to an IAM policy variable which provides you the name of the calling Lambda function.
Unfortunately, this policy variable does not currently exist and so this isn't possible.
I have created one lambda. I need to provide access to only one role that is created for this lambda i.e. only this role should have the invoke access. There may be other roles in account which may have invoke access on all lambdas but I want to restrict those roles not to access my lambda.
Can anyone please suggest a way to achieve this behavior?
A resource-based policy attached to a lambda function will work as Maurice commented.
Below is the sample policy. The action specified in the policy statement is explicitly denied to all principals except for the one specified. Only lambda_role is allowed to invoke testfunction lambda using the below resource-based policy.
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "0001",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::659266464590:role/service-role/lambda_role"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:659266464590:function:testfunction"
}
]
}
I created a API Gateway resource policy in my account to give another AWS account to make the API calls:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::92121395014:root"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:86219495289:74lbi0nlsf/*/*/*"
}
]
}
Now, when I try to make calls from a lambda in.AWS account 92121395014 to API gateway in 86219495289 AWS account, then it is throwing error with 403. Why is to so? When I create a IAM user in account 92121395014 and use that to make calls from postman using AWS key and secret, then it works fine. Any idea why and how can I fix it?
I tried to upload image using aws-sdk, multer-s3.
In my local environment, uploading image was succeed, but in production environment(aws lambda), it fail with error status 403 forbidden.
But my aws credential key and secret-key is same as local environment. also i checked aws key in production environment successfully.
I think difference between two other environment is nothing.What am I missing?
I have even tried setting aws key in my router code like below, but it also failed.
AWS.config.accessKeyId = 'blabla';
AWS.config.secretAccessKey = 'blalbla';
AWS.config.region = 'ap-northeast-2';
and here is my policy
{
"Id": "Policy1536755128154",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1536755126539",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elebooks-image/*",
"Principal": "*"
}
]
}
Update your attached s3 bucket policy to a user according to below policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
it's working on my server.
I haven't worked with AWS Lambda but I am familiar with S3. When you're using the AWS SDK in your local environment, you're probably using the root user with default full access, so it will just work.
With Lambda however, according to the following extract from the documentation, you need to make sure that the IAM role you specified when you created the Lambda function has the appropriate permissions to do an s3:putObject to that bucket.
Permissions for your Lambda function – Regardless of what invokes a Lambda function, AWS Lambda executes the function by assuming the IAM role (execution role) that you specify at the time you create the Lambda function. Using the permissions policy associated with this role, you grant your Lambda function the permissions that it needs. For example, if your Lambda function needs to read an object, you grant permissions for the relevant Amazon S3 actions in the permissions policy. For more information, see Manage Permissions: Using an IAM Role (Execution Role).
See Writing IAM policies: How to grant access to an S3 bucket
I need to add a new AWS user to use lambda function, but I don't want him to delete or modify the lambda functions created by the other users. If I can also not show the other existing lambda functions to him, it will be the most ideal solution. How should I set up this in IAM policy?
As per AWS docs, you'll want an IAM policy similar to the following. Replace the relevant AWS values.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToInvoke",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
}
]
}