无法更新IAM以允许将AWS Glue应用于AWS Secrets Manager [英] Trouble updating IAM to allow AWS Glue to the AWS Secrets Manager
问题描述
我正在一个需要AWS Glue Python脚本访问AWS Secrets Manager的项目中.
I am working on a project that requires that an AWS Glue Python script access the AWS Secrets Manager.
我曾尝试通过IAM授予Glue权限来执行此操作,但我不知道如何做.我可以看到显示Lambda有权访问的权限字符串,但是看不到编辑权限的方法.
I tried giving Glue permissions to do this via IAM, but I don't see how; I can see the permissions strings showing that Lambda has access but I don't see a way to edit them.
我尝试创建一个具有正确权限的新角色,但是当我加入该角色时,它似乎已经消失了……
I tried creating a new role that had the right permissions but when I went to attach it seemed to have disappeared ...
我的后备解决方法是通过一个小的Lambda来获取机密,然后通过S3将其传输到Glue ...但这应该是可以直接实现的.欢迎您提供任何帮助!
My fallback workaround is to grab the secret via a tiny Lambda and xfer it via S3 to Glue ... but this should be doable directly. Any help you can give is very welcome!
推荐答案
SecretsManagerReadWrite策略不只向Lambda授予权限.我认为您可能正在查看第二条语句,该语句授予Role权限来创建Lambda(用于创建Lambda以旋转秘密).
The SecretsManagerReadWrite policy does not give permissions only to Lambda. I think you may be looking at the second statement which grants the Role permissions to create Lambdas (used to create Lambdas to rotate secrets).
Looking at the Glue blog post for setting up ETL jobs, they also say you should only need to add the SecretsManagerReadWrite policy to the Glue role. However, they also say that this is just for testing and you should use a policy that grants only the necessary permissions needed (e.g. use an inline policy that grants secretsmanager:GetSecretValue with Resource being the secret in question).
您实际上并没有说您看到的错误消息.这可能有助于找出问题所在.
You don't actually say what error message you are seeing. That might be helpful in figuring out what is going wrong.
这篇关于无法更新IAM以允许将AWS Glue应用于AWS Secrets Manager的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
