eolas/zk/Accessing_secrets_from_a_Lambda.md

---
tags: [AWS, aws-lambda]
---

# Accessing secrets from a Lambda

If a Lambda connects to a database or calls an API, it is going need access to
authentication tokens/passwords.

You obviously should not store these in your code. Instead you should store them
in AWS Secrets Manager and access them via the `aws-sdk` in your Lambda
function.

In order for your function to be able to access the secrets however, it will
need to be given permission. While the Lambda is not itself a "user" it does
have an identity in the form of its IAM role. This is disclosed by its ARN.

To allow the Lambda to access the secret you should add a resource permission on
the secret that designates the Lambda.

> When you create a Lambda function, you specify an IAM role that AWS Lambda can
> assume to execute the function on your behalf. This role is referred to as the
> execution role. The execution role grants the function the necessary
> permissions to call other AWS services, access resources, and perform other
> operations.

Here is an example of a resource permission giving access to a Lambda:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::885135949562:role/pocket-api-lambda-QueryPocketFunctionRole-GY5ZN3RW31KE"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:eu-west-2:885135949562:secret:pocket-api-credentials-wEvQMI"
    }
  ]
}
```

See
[Fetch from Secrets Manager](Fetch_from_Secrets_Manager.md)
for a code example of retrieving a value from Secrets Manager.
chore: add python todos 2023-08-31 20:40:30 +01:00			`---`
			`tags: [AWS, aws-lambda]`
			`---`

			`# Accessing secrets from a Lambda`

reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`If a Lambda connects to a database or calls an API, it is going need access to`
			`authentication tokens/passwords.`
chore: add python todos 2023-08-31 20:40:30 +01:00
reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`You obviously should not store these in your code. Instead you should store them`
			in AWS Secrets Manager and access them via the `aws-sdk` in your Lambda
			`function.`
chore: add python todos 2023-08-31 20:40:30 +01:00
reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`In order for your function to be able to access the secrets however, it will`
			`need to be given permission. While the Lambda is not itself a "user" it does`
			`have an identity in the form of its IAM role. This is disclosed by its ARN.`
chore: add python todos 2023-08-31 20:40:30 +01:00
reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`To allow the Lambda to access the secret you should add a resource permission on`
			`the secret that designates the Lambda.`
chore: add python todos 2023-08-31 20:40:30 +01:00
reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`> When you create a Lambda function, you specify an IAM role that AWS Lambda can`
			`> assume to execute the function on your behalf. This role is referred to as the`
			`> execution role. The execution role grants the function the necessary`
			`> permissions to call other AWS services, access resources, and perform other`
			`> operations.`
chore: add python todos 2023-08-31 20:40:30 +01:00
			`Here is an example of a resource permission giving access to a Lambda:`

			```json
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Principal": {`
			`"AWS": "arn:aws:iam::885135949562:role/pocket-api-lambda-QueryPocketFunctionRole-GY5ZN3RW31KE"`
			`},`
			`"Action": "secretsmanager:GetSecretValue",`
			`"Resource": "arn:aws:secretsmanager:eu-west-2:885135949562:secret:pocket-api-credentials-wEvQMI"`
			`}`
			`]`
			`}`
			```

reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`See`
chore: restructure link paths 2024-02-17 11:57:44 +00:00			`[Fetch from Secrets Manager](Fetch_from_Secrets_Manager.md)`
reformat all files to 80 char line length 2024-02-02 15:58:13 +00:00			`for a code example of retrieving a value from Secrets Manager.`