Condition in AWS resource policy not allowing lambda to access Secrets Manager Secret

Question

I have the following resource policy on a Secrets Manager secret

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "rp1",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : ["*"]
    },
    "Action" : [ "secretsmanager:UpdateSecret", "secretsmanager:GetSecretValue" ],
    "Resource" : "arn:aws:secretsmanager:us-east-1:1111111111111111:secret:my-secret-VH7Qgf",
    "Condition" : {
      "ArnLike" : {
        "aws:PrincipalArn" : "arn:aws:iam::1111111111111111:role/my-role*"
      }
    }
  } ]
}

My lambda has the following Executor role arn; arn:aws:iam::1111111111111111:role/my-role-foo

However its execution fails with:

"errorMessage": "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::1111111111111111:assumed-role/my-secret/my-lambda is not authorized to perform: secretsmanager:GetSecretValue on resource: my-secret because no identity-based policy allows the secretsmanager:GetSecretValue action",

Why is that?

Answer 1

An AWS resource policy cannot grant permissions on the attached resource.

Hence, even if you have allowed "actions" in resource policy it does not mean that the resource (consumer) trying to access has the privilege.

For the resource(consumer) to have access, it needs permissions granted via AWS IAM Role attached to it.

Therefore, you need to have secretsmanager:GetSecretValue as a part of the AWS IAM Role arn:aws:iam::1111111111111111:role/my-role-foo that is attached to the AWS Lambda function.

I hope it helps 😊

Answer 2

Although not 100% sure, I think this is limited by the Condition statements that can be applied to Secrets Manager.

The docs indicate that the StringLike nor the ArnLike can be applied.