Reputation: 576
How to add policy to access secret with lambda function AWS SAM
I am trying to give access permission of secret manager to my lambda function in SAM template but it is giving me error that policy statement is malformed.
Policies:
- Statement:
- Sid: AWSSecretsManagerGetSecretValuePolicy
Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: <arn >
Can some one let me know the correct way of adding policy to my lambda function. I am using SAM template (Type: AWS::Serverless::Function)
Upvotes: 5
Views: 5997
Answers (4)
Reputation: 123
This policy only accepts ARN of a secret, so secret name will not work. https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-template-list.html#secrets-manager-get-secret-value-policy
Below works for me.
Resources:
MyFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: MyProject/
Handler: app
Policies:
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: 'arn:aws:secretsmanager:####'
or passing it as a parameter
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn: !Ref RdsSecretArn
Upvotes: 8
Reputation: 41
This policy on the lambda works for me (YAML)
Policies:
- AWSSecretsManagerGetSecretValuePolicy:
SecretArn:
Ref: THE_NAME_YOU_GAVE_YOUR_SECRET_RESOURCE
Upvotes: 0
Reputation: 63
Try this :
Policies:
- Version: '2012-10-17'
Statement:
- Sid: AWSSecretsManagerGetSecretValuePolicy
Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: <arn >
Upvotes: 0
Reputation: 9635
There are SAM Policy Templates where one of them is AWSSecretsManagerGetSecretValuePolicy you can use them directly in the definition.
Or if you wanna manage the policies yourself.
QueryFunction:
Type: AWS::Serverless::Function
Properties:
Handler: lambda_handler.lambda
Policies:
- AmazonDynamoDBFullAccess
- AWSLambdaVPCAccessExecutionRole
- SSMParameterReadPolicy:
ParameterName: parameter_name
- Statement:
- Effect: Allow
Action:
- dynamodb:*
Resource: 'resource_arn'
Runtime: python3.7
Upvotes: 0
Related Questions
- AWS SAM retrieve secret value from Secret Manager with dynamic referencing
- Condition in AWS resource policy not allowing lambda to access Secrets Manager Secret
- Allow a secret in secret manager for all lambda functions in a particular AWS account
- How to add a Secret Manager read resource policy to my lambda resourse with SAM CLI template
- How can I restrict a secret to be accessed only by a certain lambda function?
- Attribute Based Access Controll issue for AWS Lambda with IAM policy
- Lambda Function Does not Add Rule to Security Group
- AWS lambda set function access policy programmatically
- AWS lambda function to use secret manager
- How should I pass secrets (RDS password) into my Lambda function created by CloudFormation/SAM?