admin管理员组文章数量:1348091
I'm reading the CDK docs about the SecretsManager and I'm not sure if I've mis-understood, but what I thought would work from their example doesn't seem to grant the permission I expected. Essentially I have a stack that contains some Lambdas, and I'd like all of them to be able to Read two secrets from the SecretsManager.
class CdkStack extends cdk.Stack {
/**
*
* @param {cdk.Construct} scope
* @param {string} id
* @param {cdk.StackProps=} props
*/
constructor(scope, id, props) {
super(scope, id, props);
// eslint-disable-next-line no-new
new APIServices(this, "APIServices");
const role = new iam.Role(this, "SecretsManagerRead", {
assumedBy: new iam.AccountRootPrincipal(),
});
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(role);
dbWriteSecret.grantRead(role);
}
}
If I understood it correctly I should simply create this role and give it permissions to access secrets? My Lambda's still however failed when I tried to run them. Do I need to do anything else not mentioned in the docs I was reading about assigning that role to the Lambdas explicitly too?
I'm reading the CDK docs about the SecretsManager and I'm not sure if I've mis-understood, but what I thought would work from their example doesn't seem to grant the permission I expected. Essentially I have a stack that contains some Lambdas, and I'd like all of them to be able to Read two secrets from the SecretsManager.
class CdkStack extends cdk.Stack {
/**
*
* @param {cdk.Construct} scope
* @param {string} id
* @param {cdk.StackProps=} props
*/
constructor(scope, id, props) {
super(scope, id, props);
// eslint-disable-next-line no-new
new APIServices(this, "APIServices");
const role = new iam.Role(this, "SecretsManagerRead", {
assumedBy: new iam.AccountRootPrincipal(),
});
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(role);
dbWriteSecret.grantRead(role);
}
}
If I understood it correctly I should simply create this role and give it permissions to access secrets? My Lambda's still however failed when I tried to run them. Do I need to do anything else not mentioned in the docs I was reading about assigning that role to the Lambdas explicitly too?
Share Improve this question asked Jun 7, 2020 at 13:01 IanIan 34.6k29 gold badges126 silver badges210 bronze badges 6- Did you add this after the Lambda was deployed? If so it may have already assumed and would need to have assumed the role again. Also this code is creating the role but not associating it with a Lambda :( – Chris Williams Commented Jun 7, 2020 at 13:04
- Did you add this role to the Lambda function as its execution role? – Dennis Traub Commented Jun 7, 2020 at 13:05
- I did add this after the lands was already deployed. @DennisTraub how would you go about associating the additional role with the Lamda? – Ian Commented Jun 7, 2020 at 13:40
- A Lambda function can only assume one execution role. You would either have to add a policy with the above permissions to the existing role or replace the role attached to the existing Lambda function with your new one. – Dennis Traub Commented Jun 7, 2020 at 13:44
- @DennisTraub thanks! Do you have any links to examples? Or if you pop an answer in with an example and it works then I can accept :) – Ian Commented Jun 7, 2020 at 13:46
1 Answer
Reset to default 9Depending on your actual context there are two possible variants.
1. Import existing role
If the Lambda function has been predefined (e.g. in a different stack), you can add the additional permissions to the existing Lambda execution role by importing it into this CDK stack first.
class CdkStack extends cdk.Stack {
constructor(scope, id, props) {
// ...
// Import the existing role into the stack
const roleArn = 'arn:aws:iam::123456789012:role/MyExistingLambdaExecutionRole'
const role = iam.Role.fromRoleArn(this, 'Role', roleArn, {
mutable: true,
});
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(role);
dbWriteSecret.grantRead(role);
}
}
For more information regarding the usage of the aws-iam CDK module, here's the link to the documentation. Here, you can learn more about the Lambda Execution Role itself.
2. Lambda function defined as part of stack
If the lambda function has been defined somewhere in this stack, you can simply attach the permissions to the Lambda function through its reference using dbReadSecret.grantRead(lambda.role) and dbWriteSecret.grantRead(lambda.role) respectively.
class CdkStack extends cdk.Stack {
constructor(scope, id, props) {
// ...
// Create the function or retrieve the reference if
// it has been defined somewhere else in the stack
const lambda = ...
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(lambda.role);
dbWriteSecret.grantRead(lambda.role);
}
}
Please have a look at the answer to this question for reference.
本文标签: javascriptHow do I add Secrets Manager IAM permissionStack Overflow
版权声明:本文标题:javascript - How do I add Secrets Manager IAM permission? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743844904a2548939.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论