尝试使用 Secret Manager 添加 Lambda 进行轮换时,我看到以下错误 -
aws_secretsmanager_secret_rotation.example: Still creating... [50s elapsed]
│ Error: error enabling Secrets Manager Secret "" rotation: AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.
│ status code: 400, request id: 21505edf-635a-4a37-ac38-a9b3faf6a0e0
│
│ with aws_secretsmanager_secret_rotation.example,
│ on secret-manager.tf line 26, in resource "aws_secretsmanager_secret_rotation" "example":
│ 26: resource "aws_secretsmanager_secret_rotation" "example" {
我的 Lambda 角色/策略定义如下 -
resource "aws_iam_role" "lambda" {
name = "${local.resource_short_prefix}-role"
permissions_boundary = "arn:aws:iam::XXXXXXXXX:policy/permission-boundary"
assume_role_policy = jsonencode( {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"lambda.amazonaws.com" ]
},
"Effect": "Allow",
"Sid": ""
}
]
}
)
inline_policy {
name = "${local.resource_short_prefix}-policy"
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetRandomPassword",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:*:*",
"Effect": "Allow"
},
{
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:*:*",
"Effect": "Allow"
}
]
}
)
}
}
我不知道我还缺少什么?
还添加了 Lambda 权限 -
resource "aws_lambda_permission" "allow_secretmanager" {
statement_id = "AllowExecutionFromSecretManager"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda.function_name
principal = "secretsmanager.amazonaws.com"
source_arn = aws_secretsmanager_secret.db_creds.arn
source_account = "${data.aws_caller_identity.current.account_id}"
}
我也有类似的问题。问题是您需要授予外部源访问 Lambda 函数的权限。这是一个允许任何密钥(可配置以限制此密钥)访问您的 Lambda 函数的示例。
resource "aws_lambda_permission" "example_lambda_permission" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.your_function.function_name
principal = "secretsmanager.amazonaws.com"
}
您可以查看 Terraform 文档以更好地理解和配置:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
我有你提到的同样的错误,问题是因为我没有使用
aws_lambda_alias
arn。
如果您的
aws_lambda_permission
qualifier
设置为 aws_lambda_alias
,那么您需要使用别名 arn,而不是 aws_lambda_function
的 rotation_lambda_arn
arn。
示例:
resource "aws_secretsmanager_secret_rotation" "example" {
secret_id = <secret_id>
rotation_lambda_arn = aws_lambda_alias.<your alias>.arn
}