aws-lambda - 无法在 Terraform 中使用 AWS SecretManager 添加 Lambda 函数
问题描述
尝试使用 Secret Manager 添加 Lambda 以进行轮换时,我看到以下错误 -
- 创建秘密经理
- 添加了秘密版本
- 创建 Lambda
- 为 Lambda 创建角色和内联策略
- 尝试添加秘密轮换机制
aws_secretsmanager_secret_rotation.example: Still creating... [50s elapsed]
│ Error: error enabling Secrets Manager Secret "" rotation: AccessDeniedException: Secrets Manager cannot invoke the specified Lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com.
│ status code: 400, request id: 21505edf-635a-4a37-ac38-a9b3faf6a0e0
│
│ with aws_secretsmanager_secret_rotation.example,
│ on secret-manager.tf line 26, in resource "aws_secretsmanager_secret_rotation" "example":
│ 26: resource "aws_secretsmanager_secret_rotation" "example" {
我的 Lambda 角色/策略定义如下 -
resource "aws_iam_role" "lambda" {
name = "${local.resource_short_prefix}-role"
permissions_boundary = "arn:aws:iam::XXXXXXXXX:policy/permission-boundary"
assume_role_policy = jsonencode( {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"lambda.amazonaws.com" ]
},
"Effect": "Allow",
"Sid": ""
}
]
}
)
inline_policy {
name = "${local.resource_short_prefix}-policy"
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue",
"secretsmanager:Describe*",
"secretsmanager:Get*",
"secretsmanager:List*"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Effect": "Allow"
},
{
"Action": "secretsmanager:GetRandomPassword",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:*:*",
"Effect": "Allow"
},
{
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:*:*",
"Effect": "Allow"
}
]
}
)
}
}
我不知道我在这里还缺少什么?
还添加了 Lambda 权限 -
resource "aws_lambda_permission" "allow_secretmanager" {
statement_id = "AllowExecutionFromSecretManager"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda.function_name
principal = "secretsmanager.amazonaws.com"
source_arn = aws_secretsmanager_secret.db_creds.arn
source_account = "${data.aws_caller_identity.current.account_id}"
}
解决方案
推荐阅读
- arrays - 如何在不使用任何循环的情况下编写此代码
- macos - macOS 命令行实用程序与 CoreBluetooth 权限 (iTerm)
- mongodb - Mongodb 聚合 - 最小值但不为零
- java - 从 Java 中的 Pair 键形成不同的字符串
- javascript - fullcalender 一周的最后一天的宽度错误
- nosql - DynamoDb 多对多更新复制数据
- javascript - 未找到 Webpack 构建模块查看源路径
- css - 如何制作子导航栏两到三列
- angular - 为什么第一次渲染时我的组件中的对象对象闪烁,(Angular)
- flutter - Flutter Hot Reload 不适用于模拟器。如何删除开发工具?