如何限制秘密只能由特定的 lambda 函数访问?
How can I restrict a secret to be accessed only by a certain lambda function?
我有以下用例:我在 Secret Store Manager 上存储了一个秘密,我只想为 lambda 提供该秘密的值。机密的基于资源的策略如下所示:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : "arn:aws:iam::8999990:role/service-role/test-get-secret-role-68hr4lv6"
},
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
],
"Resource" : "arn:aws:secretsmanager:eu-west-1:99999889:secret:test-test-LLCii9"
} ]
}
但是对于lambda 仍然不允许访问秘密,因为我还添加了SecretManager 对lambda 执行角色的权限。还有其他方法吗?
已更新:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6", "arn:aws:sts::254386565891:assumed-role/test-get-secret-role-68hr4lv6/test-get-secret", "arn:aws:sts::254386565891:root" ]
},
"Action" : [ "secretsmanager:CancelRotateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetRandomPassword", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "secretsmanager:PutSecretValue", "secretsmanager:RemoveRegionsFromReplication", "secretsmanager:ReplicateSecretToRegions", "secretsmanager:RestoreSecret", "secretsmanager:RotateSecret", "secretsmanager:StopReplicationToReplica", "secretsmanager:TagResource", "secretsmanager:UntagResource", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage" ],
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
}, {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
} ]
}
您需要在密钥的资源策略中添加显式 Allow 语句以允许 Lambda 角色访问它。
目前您已从 Deny 语句中省略了 test-get-secret-role,但您还必须指定当 test-get-secret-role 尝试访问资源时应该发生什么 (=Allow)。您可以阅读更多关于组合 Deny 和 Not Principal here.
更新:
创建仅允许一个 Lambda GetSecretValue-access 访问 Secret 的策略的另一种更简单的方法如下:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "/*lambda role Arn*/"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "/*secret arn*/"
}, {
"Effect" : "Deny",
"Principal" : "*",
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "/*secret arn*/",
"Condition": {"ArnNotLike": {"aws:PrincipalArn": "/*lambda role arn*/"}}
}]
}
我有以下用例:我在 Secret Store Manager 上存储了一个秘密,我只想为 lambda 提供该秘密的值。机密的基于资源的策略如下所示:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : "arn:aws:iam::8999990:role/service-role/test-get-secret-role-68hr4lv6"
},
"Action" : [
"secretsmanager:DescribeSecret",
"secretsmanager:GetRandomPassword",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
],
"Resource" : "arn:aws:secretsmanager:eu-west-1:99999889:secret:test-test-LLCii9"
} ]
}
但是对于lambda 仍然不允许访问秘密,因为我还添加了SecretManager 对lambda 执行角色的权限。还有其他方法吗?
已更新:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Deny",
"NotPrincipal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6", "arn:aws:sts::254386565891:assumed-role/test-get-secret-role-68hr4lv6/test-get-secret", "arn:aws:sts::254386565891:root" ]
},
"Action" : [ "secretsmanager:CancelRotateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetRandomPassword", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds", "secretsmanager:PutSecretValue", "secretsmanager:RemoveRegionsFromReplication", "secretsmanager:ReplicateSecretToRegions", "secretsmanager:RestoreSecret", "secretsmanager:RotateSecret", "secretsmanager:StopReplicationToReplica", "secretsmanager:TagResource", "secretsmanager:UntagResource", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage" ],
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
}, {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "arn:aws:iam::254386565891:role/service-role/test-get-secret-role-68hr4lv6"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "arn:aws:secretsmanager:eu-west-1:254386565891:secret:test1-LLCii9"
} ]
}
您需要在密钥的资源策略中添加显式 Allow 语句以允许 Lambda 角色访问它。
目前您已从 Deny 语句中省略了 test-get-secret-role,但您还必须指定当 test-get-secret-role 尝试访问资源时应该发生什么 (=Allow)。您可以阅读更多关于组合 Deny 和 Not Principal here.
更新:
创建仅允许一个 Lambda GetSecretValue-access 访问 Secret 的策略的另一种更简单的方法如下:
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "/*lambda role Arn*/"]
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "/*secret arn*/"
}, {
"Effect" : "Deny",
"Principal" : "*",
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "/*secret arn*/",
"Condition": {"ArnNotLike": {"aws:PrincipalArn": "/*lambda role arn*/"}}
}]
}