From 4d2c2645f5db49a19b696d3d6acbb3ab9316e1b4 Mon Sep 17 00:00:00 2001 From: thomasabishop Date: Sat, 15 Jul 2023 10:51:04 +0100 Subject: [PATCH] aws: notes on lambda permissions secrets --- .../Accessing_secrets_from_a_lambda.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 DevOps/AWS/AWS_Lambda/Accessing_secrets_from_a_lambda.md diff --git a/DevOps/AWS/AWS_Lambda/Accessing_secrets_from_a_lambda.md b/DevOps/AWS/AWS_Lambda/Accessing_secrets_from_a_lambda.md new file mode 100644 index 0000000..beb7adf --- /dev/null +++ b/DevOps/AWS/AWS_Lambda/Accessing_secrets_from_a_lambda.md @@ -0,0 +1,36 @@ +--- +categories: + - DevOps + - Backend +tags: [AWS, aws-lambda] +--- + +# Accessing secrets from a Lambda + +If a Lambda connects to a database or calls an API, it is going need access to authentication tokens/passwords. + +You obviously should not store these in your code. Instead you should store them in AWS Secrets Manager and access them via the `aws-sdk` in your Lambda function. + +In order for your function to be able to access the secrets however, it will need to be given permission. While the Lambda is not itself a "user" it does have an identity in the form of its IAM role. This is disclosed by its ARN. + +To allow the Lambda to access the secret you should add a resource permission on the secret that designates the Lambda. + +> When you create a Lambda function, you specify an IAM role that AWS Lambda can assume to execute the function on your behalf. This role is referred to as the execution role. The execution role grants the function the necessary permissions to call other AWS services, access resources, and perform other operations. + +Here is an example of a resource permission giving access to a Lambda: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::885135949562:role/pocket-api-lambda-QueryPocketFunctionRole-GY5ZN3RW31KE" + }, + "Action": "secretsmanager:GetSecretValue", + "Resource": "arn:aws:secretsmanager:eu-west-2:885135949562:secret:pocket-api-credentials-wEvQMI" + } + ] +} +```