Secrets Manage:无法轮换密钥,无法调用指定的 Lambda 函数
Secrets Manage: Fail to rotate the secret, cannot invoke the specified Lambda function
错误:Secrets Manager 无法调用指定的 Lambda 函数。确保函数策略授予对主体 secretsmanager.amazonaws.com
的访问权限
我正在使用 Secret Manager 来存储我的密钥以验证 JWT。
我计划的配置是使用以下逻辑轮换弃用密钥:
我的秘密是这样的:
{
current:'my-current-secret',
previous:'my-previous-secret',
alg:'encoding alg',
}
*使用两个秘密并轮换它们似乎有点矫枉过正——我只保留 previous 令牌的记忆来处理边缘情况以进行交接。如果身份验证失败,我将检查它是否使用 previous 进行验证,如果是,它将 return 使用 current 键
更新的 cookie
创建秘密:
putSecretValue({
current: getRandomPassword(...),
previous: getSecretValue(...)['current'],
alg: env.param ? env.param : getSecretValue(...)['alg']
})
我没有使用 setSecret、testSecret、finishSecret
我没有使用无服务器(我会在某个时候使用,但我想在使用 CLI 快捷方式之前先使用 AWS/GUI 熟悉自己)
我看过:
我不知道我缺少什么 IAM 设置。
当我尝试设置旋转 lambda 时:
这个闪烁(这么快,我不得不录屏看一看):
我立即收到以下错误:
我开始让 lambda 完全控制 secrets manager 和 lambdas 以向后工作到最小控制,但即使把厨房水槽扔到它身上我也无法让它工作:
{
"permissionsBoundary": {},
"roleName": "secrets_manager-role-REDACTED",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:REDACTED"
}
]
},
"name": "ReadWriteREDACTEDSecret",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/ReadWriteREDACTEDSecret"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:us-east-1:REDACTED:function:secrets_manager"
}
]
},
"name": "invoke_secrets_manager_lambda",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/invoke_secrets_manager_lambda"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:REDACTED:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:REDACTED:log-group:/aws/lambda/secrets_manager:*"
]
}
]
},
"name": "AWSLambdaBasicExecutionRole-REDACTED",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/service-role/AWSLambdaBasicExecutionRole-REDACTED"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:CreateTopicRule",
"iot:DescribeEndpoint",
"iot:GetTopicRule",
"iot:ListPolicies",
"iot:ListThings",
"iot:ListTopicRules",
"iot:ReplaceTopicRule",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"kms:ListAliases",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:ListQueues",
"sqs:SendMessage",
"tag:GetResources",
"xray:PutTelemetryRecords",
"xray:PutTraceSegments"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaFullAccess",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
}
],
"trustedEntities": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
}
我的 lambda 信任策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
梳理 aws gui 约 10 小时并广泛搜索后,我遇到了一个 s/o post 链接到文档的不同资源,说无法设置 lambda 的函数策略在图形界面中。
我 运行 在 cli 中执行以下命令,一切正常:
aws lambda add-permission \
--function-name secrets_manager \
--principal secretsmanager.amazonaws.com \
--action lambda:InvokeFunction \
--statement-id SecretsManagerAccess
--function-name secrets_manager 是因为我的 lambda 函数被命名为 secrets_manager
来源:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html
错误:Secrets Manager 无法调用指定的 Lambda 函数。确保函数策略授予对主体 secretsmanager.amazonaws.com
的访问权限我正在使用 Secret Manager 来存储我的密钥以验证 JWT。
我计划的配置是使用以下逻辑轮换弃用密钥:
我的秘密是这样的:
{
current:'my-current-secret',
previous:'my-previous-secret',
alg:'encoding alg',
}
*使用两个秘密并轮换它们似乎有点矫枉过正——我只保留 previous 令牌的记忆来处理边缘情况以进行交接。如果身份验证失败,我将检查它是否使用 previous 进行验证,如果是,它将 return 使用 current 键
创建秘密:
putSecretValue({
current: getRandomPassword(...),
previous: getSecretValue(...)['current'],
alg: env.param ? env.param : getSecretValue(...)['alg']
})
我没有使用 setSecret、testSecret、finishSecret
我没有使用无服务器(我会在某个时候使用,但我想在使用 CLI 快捷方式之前先使用 AWS/GUI 熟悉自己) 我看过:
我不知道我缺少什么 IAM 设置。
当我尝试设置旋转 lambda 时:
这个闪烁(这么快,我不得不录屏看一看):
我立即收到以下错误:
我开始让 lambda 完全控制 secrets manager 和 lambdas 以向后工作到最小控制,但即使把厨房水槽扔到它身上我也无法让它工作:
{
"permissionsBoundary": {},
"roleName": "secrets_manager-role-REDACTED",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:us-east-1:REDACTED:secret:REDACTED"
}
]
},
"name": "ReadWriteREDACTEDSecret",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/ReadWriteREDACTEDSecret"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:us-east-1:REDACTED:function:secrets_manager"
}
]
},
"name": "invoke_secrets_manager_lambda",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/invoke_secrets_manager_lambda"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:REDACTED:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:REDACTED:log-group:/aws/lambda/secrets_manager:*"
]
}
]
},
"name": "AWSLambdaBasicExecutionRole-REDACTED",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::REDACTED:policy/service-role/AWSLambdaBasicExecutionRole-REDACTED"
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudwatch:*",
"cognito-identity:ListIdentityPools",
"cognito-sync:GetCognitoEvents",
"cognito-sync:SetCognitoEvents",
"dynamodb:*",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"events:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:CreateTopicRule",
"iot:DescribeEndpoint",
"iot:GetTopicRule",
"iot:ListPolicies",
"iot:ListThings",
"iot:ListTopicRules",
"iot:ReplaceTopicRule",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kinesis:PutRecord",
"kms:ListAliases",
"lambda:*",
"logs:*",
"s3:*",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:ListQueues",
"sqs:SendMessage",
"tag:GetResources",
"xray:PutTelemetryRecords",
"xray:PutTraceSegments"
],
"Resource": "*"
}
]
},
"name": "AWSLambdaFullAccess",
"id": "REDACTED",
"type": "managed",
"arn": "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
}
],
"trustedEntities": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
}
我的 lambda 信任策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"secretsmanager.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
梳理 aws gui 约 10 小时并广泛搜索后,我遇到了一个 s/o post 链接到文档的不同资源,说无法设置 lambda 的函数策略在图形界面中。
我 运行 在 cli 中执行以下命令,一切正常:
aws lambda add-permission \
--function-name secrets_manager \
--principal secretsmanager.amazonaws.com \
--action lambda:InvokeFunction \
--statement-id SecretsManagerAccess
--function-name secrets_manager 是因为我的 lambda 函数被命名为 secrets_manager
来源:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-create-generic-template.html