无法在 Terraform 中使用 AWS SecretManager 添加 Lambda 函数

问题描述 投票:0回答:2

尝试使用 Secret Manager 添加 Lambda 进行轮换时,我看到以下错误 -

  • 创建秘密经理
  • 添加秘密版本
  • 创建了 Lambda
  • 为 Lambda 创建角色和内联策略
  • 尝试添加秘密轮换机制
    aws_secretsmanager_secret_rotation.example: Still creating... [50s elapsed]
    │ Error: error enabling Secrets Manager Secret "" rotation: AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.
    │       status code: 400, request id: 21505edf-635a-4a37-ac38-a9b3faf6a0e0
    │
    │   with aws_secretsmanager_secret_rotation.example,
    │   on secret-manager.tf line 26, in resource "aws_secretsmanager_secret_rotation" "example":
    │   26: resource "aws_secretsmanager_secret_rotation" "example" {

我的 Lambda 角色/策略定义如下 -

resource "aws_iam_role" "lambda" {
  name = "${local.resource_short_prefix}-role"
  permissions_boundary = "arn:aws:iam::XXXXXXXXX:policy/permission-boundary"


  assume_role_policy = jsonencode( {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com"          ]
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
)

inline_policy {
    name = "${local.resource_short_prefix}-policy"
    
    policy = jsonencode( 
    {
    "Version": "2012-10-17",
    "Statement": [
          {
            "Action": [
              "secretsmanager:PutSecretValue",
              "secretsmanager:GetSecretValue",
              "secretsmanager:Describe*",
              "secretsmanager:Get*",
              "secretsmanager:List*" 
            ],
            "Resource": "arn:aws:secretsmanager:*:*:secret:*",
            "Effect": "Allow"
          },
          {
            "Action": "secretsmanager:GetRandomPassword",
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:*:*",
            "Effect": "Allow"
          },
          {
            "Action": "sqs:SendMessage",
            "Resource": "arn:aws:sqs:*:*:*",
            "Effect": "Allow"
          }
        ]
      }
    )
  }


}

我不知道我还缺少什么?

还添加了 Lambda 权限 -

resource "aws_lambda_permission" "allow_secretmanager" {
  statement_id  = "AllowExecutionFromSecretManager"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda.function_name
  principal     = "secretsmanager.amazonaws.com"
  source_arn    = aws_secretsmanager_secret.db_creds.arn
  source_account = "${data.aws_caller_identity.current.account_id}"
 
}
aws-lambda amazon-iam terraform-provider-aws aws-secrets-manager
2个回答
0
投票

我也有类似的问题。问题是您需要授予外部源访问 Lambda 函数的权限。这是一个允许任何密钥(可配置以限制此密钥)访问您的 Lambda 函数的示例。

resource "aws_lambda_permission" "example_lambda_permission" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.your_function.function_name
  principal     = "secretsmanager.amazonaws.com"
}

您可以查看 Terraform 文档以更好地理解和配置:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission

0
投票

我有你提到的同样的错误,问题是因为我没有使用

aws_lambda_alias
arn。

如果您的 

aws_lambda_permission
qualifier
设置为 
aws_lambda_alias
,那么您需要使用别名 arn,而不是 
aws_lambda_function
rotation_lambda_arn
arn。

示例:

resource "aws_secretsmanager_secret_rotation" "example" {
  secret_id           = <secret_id>
  rotation_lambda_arn = aws_lambda_alias.<your alias>.arn
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.