为什么在未指定 VersionStage:AWSCURRENT 时使用 Secrets Manager API 收到 Go AWS Lambda 函数的访问被拒绝消息?
Why do I get an Access Denied message for Go AWS Lambda function using Secrets Manager API when not specifying VersionStage: AWSCURRENT?
在调试 AWS SecretsManager Caching Go 的问题时,我恢复使用 AWS SecretsManager API 和 运行 进入以下错误消息:
AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/MyLambdaFunctionName-DNV2M7OYIFMX/MyLambdaFunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:GetSecretValue on resource: my_secret_name
密码是:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretMgr := secretsmanager.New(session)
res, err := secretMgr.GetSecretValue(
&secretsmanager.GetSecretValueInput{
SecretId: String("my_secret_name")
},
)
secret资源策略设置为:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"secretsmanager:VersionStage" : "AWSCURRENT"
}
}
} ]
}
只要我更改代码以包含值为“AWSCURRENT”的 VersionStage 参数,代码就会正确执行,没有错误:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretMgr := secretsmanager.New(session)
res, err := secretMgr.GetSecretValue(
&secretsmanager.GetSecretValueInput{
SecretId: String("my_secret_name"),
VersionStage: String("AWSCURRENT"),
},
)
根据 SecretsManager API documentation,VersionStage:如果未指定,“AWSCURRENT”似乎应该是默认配置:
If you don't specify either a VersionStage or VersionId, then the default is to perform the operation on the version with the VersionStage value of AWSCURRENT.
任何人都可以解释为什么省略 VersionStage 会导致此错误消息,and/or为什么它与 IAM 代入角色有任何关系,因为 AWS 机密和 lambda 函数都在同一个帐户中?谢谢!
secretsmanager:VersionStage 条件的 AWS docs 状态:
Filters the request based on the staging labels identified in the VersionStage parameter of a request. We recommend you do not use this key, because if you use this key, requests must pass in a staging label to compare to this policy.
这正是您所经历的。使用此条件时,您必须明确包含标签。它没有解释为什么 AWSCURRENT 的 'default' 阶段不工作。您可以找到讨论此问题 here 的广泛 github 话题。结论基本上是文档如何制定这个确实有点蹩脚,但他们认为还没有理由实际更新文档。
在调试 AWS SecretsManager Caching Go 的问题时,我恢复使用 AWS SecretsManager API 和 运行 进入以下错误消息:
AccessDeniedException: User: arn:aws:sts::redacted:assumed-role/MyLambdaFunctionName-DNV2M7OYIFMX/MyLambdaFunctionName-eoFcAmXLBOV1 is not authorized to perform: secretsmanager:GetSecretValue on resource: my_secret_name
密码是:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretMgr := secretsmanager.New(session)
res, err := secretMgr.GetSecretValue(
&secretsmanager.GetSecretValueInput{
SecretId: String("my_secret_name")
},
)
secret资源策略设置为:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::redacted:role/MyLambdaFunctionNameRole-DNV2M7OYIFMX"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ForAnyValue:StringEquals" : {
"secretsmanager:VersionStage" : "AWSCURRENT"
}
}
} ]
}
只要我更改代码以包含值为“AWSCURRENT”的 VersionStage 参数,代码就会正确执行,没有错误:
session := session.Must(session.NewSession(aws.NewConfig().WithRegion("us-east-1")))
secretMgr := secretsmanager.New(session)
res, err := secretMgr.GetSecretValue(
&secretsmanager.GetSecretValueInput{
SecretId: String("my_secret_name"),
VersionStage: String("AWSCURRENT"),
},
)
根据 SecretsManager API documentation,VersionStage:如果未指定,“AWSCURRENT”似乎应该是默认配置:
If you don't specify either a VersionStage or VersionId, then the default is to perform the operation on the version with the VersionStage value of AWSCURRENT.
任何人都可以解释为什么省略 VersionStage 会导致此错误消息,and/or为什么它与 IAM 代入角色有任何关系,因为 AWS 机密和 lambda 函数都在同一个帐户中?谢谢!
secretsmanager:VersionStage 条件的 AWS docs 状态:
Filters the request based on the staging labels identified in the VersionStage parameter of a request. We recommend you do not use this key, because if you use this key, requests must pass in a staging label to compare to this policy.
这正是您所经历的。使用此条件时,您必须明确包含标签。它没有解释为什么 AWSCURRENT 的 'default' 阶段不工作。您可以找到讨论此问题 here 的广泛 github 话题。结论基本上是文档如何制定这个确实有点蹩脚,但他们认为还没有理由实际更新文档。