I am writing a custom lambda function to implement a generic rotating keys algorithm for use in SecretsManager.
The python lambda function works perfectly when running locally in my pycharm IDE, however, when I paste it into the lambda console and deploy it, I get a AccessDeniedException when executing "Rotate Secret Immediately" in SecretsManager. The offending code is:
resp = service_client.list_secret_version_ids(SecretId=arn, IncludeDeprecated=True)
The logged in user is in a group with the AdministratorAccess policy attached. I also added the SecretsManagerReadWrite policy for kicks.
I print an error message which includes the arn of the secret and it is correct. This code is called from the finishSecret method after the "normal" code is complete, so the secret does rotate fine. However, I added custom code to ensure I keep versions for 2 years (by assigning Version stages so SM won't delete them). For this, I need the list-secret-version-ids method.
Is there some kind of restriction on this function when called from SecretsManager?
Any ideas?
I resolved this issue. Apparently the default IAM role assigned to the lambda function when I created it did not include permsissions to run the ListSecretversionIds method. I followed the section titled "Creating a Lambda rotation function using an AWS Serverless Application Repository template" in teh AWS SecretsManager User Guide (Starting on page 84).
So, to add the permission do:
Or if you're squeamish about editing JSON, you can use the interactive approach on the Visual Editor tab instead.