I am stuck configuring my AWS Lambda to access a secret. I have done it many times, all the existing resources works properly, but now a new one does not want to.
Stack: I have a secret in secretsmanager and a lambda (in vpc)
What I want: read the secret from lambda.
Role of the lambda has the following policy:
"Statement": [ { "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx", "Effect": "Allow" } ] } But even if I give full admin permission for this role, I am not allowed to read the secret from lambda. I get the following error message:
User: arn:aws:sts::xxxxxxxxx:assumed-role/xxxxxxx/yyyyyyyy is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx I have other lambdas that work, but it is a bit terrifying that re-deploying my cloudformation stack could break the whole application due to this.
I assume there was some change at AWS side, existing resources got changed to be compatible, but now I am not able to access any new or already existing secrets, even if I can see at the lambda configuration that I have permission.
Does anyone have any idea what is missing? Thanks!
