2

I'm writing my first lambda function (in Python), and I'm a little confused about how credentials are supposed to work in the lambda environment. I'm trying to retrieve a secret (for Aurora database access) from the aws secrets api, using their example code which looks something like this (I've stripped out all the error handling for brevity):

def get_secret():
    secret_name = 'dbtest-postgres-secret'
    region_name = 'us-east-2'

    session = boto3.session.Session()                                                                                                                                                          
    client = session.client(                                                                                                                                                                   
        service_name='secretsmanager',                                                                                                                                                         
        region_name=region_name                                                                                                                                                                
    )                                                                                                                                                                                          

    get_secret_value_response = client.get_secret_value(                                                                                                                                   
        SecretId=secret_name                                                                                                                                                               
    )                                                                                                                                                                                      

    secret = get_secret_value_response['SecretString']

    return secret

This works fine locally in an environment in which I have my normal AWS credentials, but returns None without raising any errors when running as part of a lambda function. I'm using it like this:

def handler(event, context):
    secret = get_secret()
    assert secret is not None

And it's failing at that assert statement:

{
  "errorType": "AssertionError",
  "stackTrace": [
    "  File \"/var/task/dbtest.py\", line nn, in handler\n    assert secret is not None\n"
  ]
}

I assumed that by assigning a role to the lambda function with appropriate permissions (AmazonRDSDataFullAccess, which includes permissions to access the secrets manager) that everything would be set. Do I need to provide explicit credentials (e.g., an access key and secret) to the lambda function?

Improve this question
1
  • 1
    i'am wondering why you didn't see an AccessDeniedError. Commented Feb 6, 2020 at 19:07

1 Answer 1

Reset to default
3

You do not need to give explicit credentials, the lambda will get the credentials from the role you assigned to it. What is the secret you are asking for, because the AmazonRDSDataFullAccess only has access to secrets at rds-db-credentials/*.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The secret is called "dbtest-postgres-secret". Are you saying it needs to have a name prefixed with rds-db-credentials/?
That's correct. In order for that particular policy to work you would need to do that. If you need a different set of secrets you should specify the name(s) (or pattern) in a policy that you create.
Thanks, that was it!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.