1

In a project I'm working on, the secrets are stored in a centralized company Secrets Manager, in a specific AWS account (SECRETS_ACCOUNT).

Project resources (including lambda functions) are in a project specific account (PROJECT_ACCOUNT).

I'm trying to set up secrets rotation, but I get stuck on this error message:

AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.

The lambda resource-based policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "SecretsManager",
      "Effect": "Allow",
      "Principal": {
        "Service": "secretsmanager.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-west-1:PROJECT_ACCOUNT:function:secret-rotation"
    }
  ]
}

The lambda role trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I don't know if it matters, both accounts are in the same region.

Did I miss something? Do I need to add additional permissions to allow a Secrets Manager from another account to invoke the lambda? Do the lambda and the secret have to be in the same account?

Thanks in advance,

HktBst
  • 11
  • 3
  • 1
    Are there any CloudWatch Logs for the secret-rotation Lambda function? Just wondering if the AccessDeniedException is not actually that Secrets Manager cannot invoke the Lambda, but that the Lambda itself, once invoked, is throwing AccessDeniedException because it does not have relevant permissions on the secrets account. Unlikely, but may be worth checking. – jarmod Dec 03 '20 at 18:26
  • Hi @jarmod, good idea, unfortunately I checked CloudWatch and X-Ray and there is no trace of an invocation. – HktBst Dec 03 '20 at 22:53
  • Add the correct policy versions to those policies, e.g. `"Version": "2012-10-17"` – jarmod Dec 03 '20 at 23:12
  • Sorry, they were in fact already present, I updated post with the full content (versions added). – HktBst Dec 03 '20 at 23:58

1 Answers1

0

Please run the below command to resolve the error "AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com." in AWS Cli

aws lambda add-permission --function-name arn:aws:lambda:us-east-1:757147756798:function:"secret name here without quotes" --principal secretsmanager.amazonaws.com --action lambda:InvokeFunction --statement-id SecretsManagerAccess

nikhil
  • 216
  • 3
  • 6