通过 lambda 测试测试轮换秘密
Testing Rotating Secret through lambda Testing
将其用作 lambda 函数 -
https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRotationTemplate/lambda_function.py。
周长为
{
"SecretId": "giving arn",
"ClientRequestToken":"giving random 32 digit number",
"Step":"testsecret"
}
给出错误:
{
"errorMessage": "'SECRETS_MANAGER_ENDPOINT'",
"errorType": "KeyError",
"requestId": "##",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 17, in lambda_handler\n service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])\n",
" File \"/var/lang/lib/python3.9/os.py\", line 679, in __getitem__\n raise KeyError(key) from None\n"
]
}
Function Logs
START RequestId: ####### Version: $LATEST
[ERROR] KeyError: 'SECRETS_MANAGER_ENDPOINT'
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 17, in lambda_handler
service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])
File "/var/lang/lib/python3.9/os.py", line 679, in __getitem__
raise KeyError(key) from NoneEND RequestId:########
REPORT RequestId: #### Duration: 13.10 ms Billed Duration: 14 ms Memory Size: 128 MB Max Memory Used: 52 MB Init Duration: 251.10 ms
您应该将缺少的变量添加到 Lambda 环境参数中
Key/Value 在您所在的地区有参考 toy secretsmanager 端点,例如:SECRETS_MANAGER_ENDPOINT:https://secretsmanager.us-east-1.amazonaws.com
还需要按照文章对 Lambda 策略进行必要的更改:
https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and-bearer-token-automatically-with-aws-secrets-manager/
否则你会得到这样的错误:
Function Logs
START RequestId: e1410eca-142f-4900-8af3-0bcf0435488a Version: $LATEST
[INFO] 2021-11-13T05:39:03.320Z e1410eca-142f-4900-8af3-0bcf0435488a Found credentials in environment variables.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeSecret operation: User: arn:aws:sts::995149706792:assumed-role/rotate_secret_rcloneconfig-role-namt8fbc/rotate_secret_rcloneconfig is not authorized to perform: secretsmanager:DescribeSecret on resource: arn:aws:secretsmanager:us-east-1:995149706792:secret:rclonechina-5lPcTT because no identity-based policy allows the secretsmanager:DescribeSecret action
Traceback (most recent call last):
将其用作 lambda 函数 - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRotationTemplate/lambda_function.py。 周长为
{
"SecretId": "giving arn",
"ClientRequestToken":"giving random 32 digit number",
"Step":"testsecret"
}
给出错误:
{
"errorMessage": "'SECRETS_MANAGER_ENDPOINT'",
"errorType": "KeyError",
"requestId": "##",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 17, in lambda_handler\n service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])\n",
" File \"/var/lang/lib/python3.9/os.py\", line 679, in __getitem__\n raise KeyError(key) from None\n"
]
}
Function Logs
START RequestId: ####### Version: $LATEST
[ERROR] KeyError: 'SECRETS_MANAGER_ENDPOINT'
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 17, in lambda_handler
service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])
File "/var/lang/lib/python3.9/os.py", line 679, in __getitem__
raise KeyError(key) from NoneEND RequestId:########
REPORT RequestId: #### Duration: 13.10 ms Billed Duration: 14 ms Memory Size: 128 MB Max Memory Used: 52 MB Init Duration: 251.10 ms
您应该将缺少的变量添加到 Lambda 环境参数中 Key/Value 在您所在的地区有参考 toy secretsmanager 端点,例如:SECRETS_MANAGER_ENDPOINT:https://secretsmanager.us-east-1.amazonaws.com 还需要按照文章对 Lambda 策略进行必要的更改: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and-bearer-token-automatically-with-aws-secrets-manager/
否则你会得到这样的错误:
Function Logs
START RequestId: e1410eca-142f-4900-8af3-0bcf0435488a Version: $LATEST
[INFO] 2021-11-13T05:39:03.320Z e1410eca-142f-4900-8af3-0bcf0435488a Found credentials in environment variables.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeSecret operation: User: arn:aws:sts::995149706792:assumed-role/rotate_secret_rcloneconfig-role-namt8fbc/rotate_secret_rcloneconfig is not authorized to perform: secretsmanager:DescribeSecret on resource: arn:aws:secretsmanager:us-east-1:995149706792:secret:rclonechina-5lPcTT because no identity-based policy allows the secretsmanager:DescribeSecret action
Traceback (most recent call last):