Last updated: Feb 26, 2024
Reading time·6 min
To grant a Lambda function access to Secrets Manager, we have to attach an IAM policy to the function's execution role.
The policy should grant permissions for all the Actions
the function needs
to perform on the secrets.
For example, the following policy grants permissions for the most commonly used secrets manager actions on a specific secret.
YOUR_SECRET_ARN
placeholder in the Resource
element with the secret's ARN.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": [ "YOUR_SECRET_ARN" ] } ] }
secretsmanager:GetSecretValue
action.The actions your Lambda function needs to perform on the secrets are use-case specific.
"secretsmanager:*"
for the Action
element in the policy to grant full secrets manager access to the lambda function. However, it's best practice to grant an entity the least permissions that get the job done.You can view a full list of the
secrets manager Actions
in the
Secrets Manager Actions table.
There is a Description
column that explains what each action does.
To attach a policy to the Lambda function's execution role:
Configuration
tab and then click Permissions
.Add permissions
and then click Create inline policy
.JSON
editor, paste the following policy.YOUR_SECRET_ARN
placeholder and adjust the Actions
your Lambda function needs to execute.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": [ "YOUR_SECRET_ARN" ] } ] }
Review Policy
and give your policy a name, then click
Create policy
.At this point, the Lambda function's role has been extended with a policy that grants access to some secrets manager actions on a specific secret.
Invoke your lambda function and verify whether it has access to the secret.
If your function is still unable to access the Secrets manager secret, try to
increase the function's timeout
by a second in the AWS console, or simply add
an extra print
statement in the code and click the Deploy
button.
If your Lambda function still doesn't have access to the secret, expand the IAM policy you added to the function's role and edit it to look like the policy below.
YOUR_SECRET_ARN
placeholder with the secret's ARN.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:*" ], "Resource": [ "YOUR_SECRET_ARN" ] } ] }
The IAM policy above grants full access to a specific secret. Your Lambda function will be able to execute all Secrets Manager actions on the secret.
*
symbol is useful when debugging.After you've updated the policy, try to invoke your Lambda function again, it should have permission to execute any action on the secret.
After you verify which actions your Lambda needs to run, you can make the IAM policy less permissive.
Deny
effect will always override any Allow
statements.To grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution role.
The policy should grant permissions for all the Actions
the function needs
to perform on the SSM parameter.
For example, the following policy grants permissions for the most commonly used Parameter Store actions on a specific parameter.
YOUR_*
placeholders in the Resource
element with the real values.Resource
list or just add *
which means your function has access to all of the parameters in the account.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }
The Resource
element should look similar to:
arn:aws:ssm:us-east-1:123456789:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH
once the real values are in place.
/my-app/dev/db-url
it should be omitted when specifying the name in the Resource
element of the IAM policy - my-app/dev/db-url
.The actions your Lambda function needs to perform on the SSM parameter are use case dependent.
You could set "ssm:*"
for the Action
element in the policy to grant full
parameter store access to the Lambda function.
You could also set the Resource
element to be *
, which means the function
can access all SSM parameters in the account.
However, it's best practice to grant an entity the least permissions that get the job done.
You can view a full list of the Parameter Store Actions
in the
Systems Manager actions table.
There is a Description
column, which explains what each action does.
To attach a policy to the lambda function's execution role:
Configuration
tab and then click Permissions
.Add permissions
and then click Create inline policy
.JSON
editor, paste the following policy.YOUR_*
placeholders and adjust the Actions
your Lambda function needs to execute.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:PutParameter", "ssm:DeleteParameter", "ssm:DeleteParameters" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }
Review Policy
and give your policy a name, then click Create policy
At this point, the Lambda function's role has been extended with a policy that grants access to some Parameter Store actions on a specific parameter.
Resource
element of the policy, or set the Resource
to *
.Invoke your lambda function and verify whether it has access to the SSM parameter.
If your function is still unable to access the SSM parameter, try to increase
the function's timeout
by a second in the AWS console or simply add an extra
print
statement in the code and click the Deploy
button.
If your Lambda function still does not have access to the parameter, expand the IAM policy you added to the function's role and edit it to look like the policy below.
YOUR_*
placeholders with real values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:*" ], "Resource": [ "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH" ] } ] }
The IAM policy above grants full access to an SSM parameter. Your Lambda function will be able to execute all Parameter store actions on the parameter.
*
symbol is useful when debugging.After you've updated the policy, try to invoke your Lambda function again, it should have permission to execute any action on the SSM parameter.
After you verify which actions your Lambda needs to run, you can make the IAM policy less permissive.
Deny
effect will always override any Allow
statements.I've also written a tutorial on how to add permissions to Lambda functions in AWS CDK.
You can learn more about the related topics by checking out the following tutorials: