Grant AWS Lambda Access to Secrets Manager/Parameter Store

# Table of Contents

1. Grant AWS Lambda Access to Secrets Manager
2. Grant AWS Lambda Access to SSM Parameter Store

# Grant AWS Lambda Access to Secrets Manager

To grant a Lambda function access to Secrets Manager, we have to attach an IAM policy to the function's execution role.

The policy should grant permissions for all the Actions the function needs to perform on the secrets.

For example, the following policy grants permissions for the most commonly used secrets manager actions on a specific secret.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetSecretValue",
              "secretsmanager:DescribeSecret",
              "secretsmanager:ListSecretVersionIds",
              "secretsmanager:PutSecretValue",
              "secretsmanager:UpdateSecret",
              "secretsmanager:TagResource",
              "secretsmanager:UntagResource"
            ],
            "Resource": [
              "YOUR_SECRET_ARN"
            ]
        }
    ]
}

The actions your lambda function needs to perform on the secrets are use case specific.

You can view a full list of the secrets manager Actions in the Secrets Manager Actions table.

There is a Description column that explains what each action does.

To attach a policy to the lambda function's execution role:

1. Open the AWS Lambda console and click on your function's name
2. Click on the Configuration tab and then click Permissions

3. Click on the function's role
4. Click on Add permissions and then click Create inline policy

5. In the JSON editor, paste the following policy.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetSecretValue",
              "secretsmanager:DescribeSecret",
              "secretsmanager:ListSecretVersionIds",
              "secretsmanager:PutSecretValue",
              "secretsmanager:UpdateSecret",
              "secretsmanager:TagResource",
              "secretsmanager:UntagResource"
            ],
            "Resource": [
              "YOUR_SECRET_ARN"
            ]
        }
    ]
}

6. Click Review Policy and give your policy a name, then click Create policy

At this point, the lambda function's role has been extended with a policy that grants access to some secrets manager actions on a specific secret.

Invoke your lambda function and verify whether it has access to the secret.

If your function is still unable to access the Secrets manager secret, try to increase the function's timeout by a second in the AWS console, or simply add an extra print statement in the code and click the Deploy button.

If your lambda function still doesn't have access to the secret, expand the IAM policy you added to the function's role and edit it to look like the policy below.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Effect": "Allow",
          "Action": [
              "secretsmanager:*"
            ],
          "Resource": [
            "YOUR_SECRET_ARN"
          ]
        }
    ]
}

The IAM policy above grants full access to a specific secret. Your lambda function will be able to execute all Secrets Manager actions on the secret.

After you've updated the policy, try to invoke your lambda function again, it should have permission to execute any action on the secret.

After you verify which actions your lambda needs to run, you can make the IAM policy less permissive.

# Grant AWS Lambda Access to SSM Parameter Store

To grant a Lambda function access to an SSM parameter, we have to attach an IAM policy to the function's execution role.

The policy should grant permissions for all the Actions the function needs to perform on the SSM parameter.

For example, the following policy grants permissions for the most commonly used Parameter Store actions on a specific parameter.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "ssm:GetParameter",
              "ssm:GetParameters",
              "ssm:GetParametersByPath",
              "ssm:PutParameter",
              "ssm:DeleteParameter",
              "ssm:DeleteParameters"
            ],
            "Resource": [
              "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH"
            ]
        }
    ]
}

The Resource element should look similar to: arn:aws:ssm:us-east-1:123456789:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH once the real values are in place.

The actions your lambda function needs to perform on the SSM parameter are use case dependent.

You could set "ssm:*" for the Action element in the policy to grant full parameter store access to the lambda function.

You could also set the Resource element to be *, which means the function can access all SSM parameters in the account.

However, it's best practice to grant an entity the least permissions that get the job done.

You can view a full list of the Parameter Store Actions in the Systems Manager actions table.

There is a Description column, which explains what each action does.

To attach a policy to the lambda function's execution role:

1. Open the AWS Lambda console and click on your function's name
2. Click on the Configuration tab and then click Permissions

3. Click on the function's role
4. Click on Add permissions and then click Create inline policy

5. In the JSON editor, paste the following policy.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "ssm:GetParameter",
              "ssm:GetParameters",
              "ssm:GetParametersByPath",
              "ssm:PutParameter",
              "ssm:DeleteParameter",
              "ssm:DeleteParameters"
            ],
            "Resource": [
              "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH"
            ]
        }
    ]
}

6. Click Review Policy and give your policy a name, then click Create policy

At this point, the lambda function's role has been extended with a policy that grants access to some Parameter Store actions on a specific parameter.

Invoke your lambda function and verify whether it has access to the SSM parameter.

If your function is still unable to access the SSM parameter, try to increase the function's timeout by a second in the AWS console or simply add an extra print statement in the code and click the Deploy button.

If your lambda function still does not have access to the parameter, expand the IAM policy you added to the function's role and edit it to look like the policy below.

Copied!
{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Effect": "Allow",
          "Action": [
              "ssm:*"
            ],
          "Resource": [
            "arn:aws:ssm:YOUR_REGION:YOUR_ACCOUNT_NUMBER:parameter/PARAMETER_NAME_WITHOUT_LEADING_SLASH"
          ]
        }
    ]
}

The IAM policy above grants full access to an SSM parameter. Your lambda function will be able to execute all Parameter store actions on the parameter.

After you've updated the policy, try to invoke your lambda function again, it should have permission to execute any action on the SSM parameter.

After you verify which actions your lambda needs to run, you can make the IAM policy less permissive.

I've also written a tutorial on how to add permissions to Lambda functions in AWS CDK.

# Additional Resources

You can learn more about the related topics by checking out the following tutorials:

• How to Grant AWS Lambda Access to an S3 Bucket
• Grant AWS Lambda Access to an SQS Queue
• Grant AWS Lambda Access to a Dynamodb Table
• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How to use Parameters in AWS CDK
• Cannot find module (AWS Lambda Error) [Solved]
• How to create a Cloudwatch Alarm in AWS CDK
• botocore.exceptions.NoRegionError: You must specify a region