如何授予旋转Lambda访问AWS Secrets Manager的权限 [英] How do I grant a rotation Lambda access to AWS Secrets Manager

问题描述

我使用无服务器框架，试图构建 a Lambda函数，用于定期轮换存储在AWS Secrets Manager中的机密.

Using the serverless framework, I am trying to build a Lambda function that periodically rotates a secret stored in AWS Secrets Manager.

我在配置Secret Manager执行Lambda所需的角色时遇到麻烦.在我的serverless.yml中，我定义了以下资源:

I am having trouble configuring the roles needed for the Secret Manager to execute the Lambda. In my serverless.yml I have defined the following resources:

resources:
  Resources:
    RotateKeysRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: rotate-keys-role
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
                  - secretsmanager.amazonaws.com
              Action: sts:AssumeRole

将此角色附加到旋转Lambda上，如下所示:

and attach this role to the rotation Lambda like this:

functions:
  rotateKeys:
    handler: lambdas.rotate_keys.handler
    role: RotateKeysRole

但是，当我尝试设置Secrets Manager来使用此Lambda旋转秘密时，我将收到以下错误消息:

Yet, when I try to set up Secrets Manager to use this Lambda for rotating secrets I will get the following error message:

Secrets Manager无法调用指定的Lambda函数.确保 功能策略授予对主体的访问权限 secretsmanager.amazonaws.com

Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com

这使我感到困惑，因为指定了这个主体.检查IAM控制台中的角色并没有发现任何我觉得不对的地方.

which puzzles me as this principal is specified. Inspecting the role in the IAM console did not reveal anything that seemed wrong to me.

在这种情况下如何正确配置角色设置?

How do I correctly configure the role setup in this scenario?

推荐答案

文档中介绍了为lambda函数设置权限的过程，该lambda函数可旋转AWS Secrets Manager机密. [1]

The procedure of setting up permissions for a lambda function which rotates AWS Secrets Manager secrets is explained in the docs. [1]

要概括地说，您需要执行两个步骤:

To put it in a nutshell, you need two steps:

• 将信任策略添加到lambda函数.这可以通过使用serverless.yml文件中的CloudFormation资源 AWS :: Lambda :: Permission 来实现.但是，进行此设置有点棘手，因为您需要依赖所创建的函数.这就是为什么 DependsOn 是必需的，并且其值的结构必须如下:<function-name-with-first-letter-uppercase>LambdaFunction.
• 为lambda函数添加语句以调用AWS Secrets Manager API来更新密钥.在以下示例中，我将这些语句(针对单用户轮换的情况-参见文档[1])添加到名为 rotateKeysPolicy 的客户托管策略中.

• Add a trust policy to the lambda function. This can be achieved using the CloudFormation resource AWS::Lambda::Permission in the serverless.yml file. However, it is a little bit tricky to set this up, because you need to depend on the function being created. That is why the DependsOn is necessary and its value must be structured as follows: <function-name-with-first-letter-uppercase>LambdaFunction.
• Add statements for the lambda function to call the AWS Secrets Manager API to update the secret. In the following example, I added these statements (for the Single user rotation case - see docs [1]) to the customer managed policy called rotateKeysPolicy.

注意:函数名称在 DependsOn 属性中引用.在条件 StringEquals 和属性 FunctionName 中，也将其引用为:arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys.如果您更改函数名称，请记住要更改它们.

Note: The function name is referenced in the DependsOn attribute. It is also referenced in the condition StringEquals and the attribute FunctionName as: arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys. Keep in mind to change them if you change your function name.

这是serverless.yml文件的外观:

Here is how the serverless.yml file should look like:

service:
  name: <your-service-name>

provider:
  name: aws
  region: '<your-region>'

custom:
  region: ${self:provider.region}
  accountId: <your-account-id>

resources:
  Resources:
    FunctionRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: basic-function-role
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        Policies:
          - PolicyName: rotateKeysPolicy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - secretsmanager:DescribeSecret
                    - secretsmanager:GetSecretValue
                    - secretsmanager:PutSecretValue
                    - secretsmanager:UpdateSecretVersionStage
                  Resource: '*'
                  Condition:
                    StringEquals:
                      'secretsmanager:resource/AllowRotationLambdaArn': "arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys"
                - Effect: Allow
                  Action:
                  - secretsmanager:GetRandomPassword
                  Resource: '*'
                - Effect: Allow
                  Action:
                    - ec2:CreateNetworkInterface
                    - ec2:DeleteNetworkInterface
                    - ec2:DescribeNetworkInterfaces
                  Resource: '*'
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole         
    LambdaInvokePermission:
      Type: AWS::Lambda::Permission
      DependsOn: RotateKeysLambdaFunction
      Properties:
        FunctionName: "arn:aws:lambda:${self:custom.region}:${self:custom.accountId}:function:${self:service}-${self:provider.stage}-rotateKeys"
        Action: lambda:InvokeFunction
        Principal: 'secretsmanager.amazonaws.com'

functions:
  rotateKeys:
    handler: lambdas.rotate_keys.handler
    role: FunctionRole

您必须替换<your-service-name>，<your-region>，<your-account-id>，并使用例如package -> include属性.

You have to replace <your-service-name>, <your-region>, <your-account-id> and upload your rotation code using e.g. the package -> include attributes.

注意:有些lambda函数模板可更新机密. [2] [3]

Note: There are templates for the lambda function which update the secrets. [2][3]

还请记住，为lambda函数正确配置VPC，使其能够通过网络访问AWS Secrets Manager服务. [4]

Please also keep in mind to configure your VPC correctly for the lambda function being able to access the AWS Secrets Manager service over the network. [4]

[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html
[2] https://docs .aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
[3] https://github.com/aws-samples/aws -secrets-manager-rotation-lambdas
[4] https://docs.aws.amazon .com/secretsmanager/latest/userguide/rotation-network-rqmts.html

[1] https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions.html
[2] https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
[3] https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas
[4] https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotation-network-rqmts.html

这篇关于如何授予旋转Lambda访问AWS Secrets Manager的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！