Hello community,
I was hoping to find an answer here as I have struggled long enough and searched for an answer, or better yet for a docs, which would guide me to correctly set up a iamRoleStatements for a Lambda function which needs to read credentials from Secrets Manager on AWS and use that to connect to DB. Unfortunately when I deploy the service, the IAM policy is not created.
Here is a part of the serverless.yml:
service: SomeService
plugins:
- serverless-webpack
- serverless-offline
custom:
webpackIncludeModules: true
provider:
deploymentBucket:
name: kvikymart-code
name: aws
runtime: nodejs8.10
region: eu-west-1
stage: ${opt:stage, 'dev'}
tags:
Project: Some Service
apiKeys:
- ${opt:stage}-someServiceAPIKey
environment:
SERVICE_STAGE: ${self:provider.stage}
SECRET_ID: ${file(./constants.yml):SECRET_ID}
REGION: ${file(./constants.yml):REGION}
functions:
someLambda:
handler: api/getDataFromDatabase.main
description: Description.
memorySize: 128
vpc:
securityGroupIds:
- sg-xxxxx # Allow VPC Endpoints
- sg-xxxxx # Allow PostgreSQL
subnetIds:
- subnet-xxxx # eu-west-1a
- subnet-xxxx # eu-west-1b
- subnet-xxxx # eu-west-1c
iamRoleStatements:
- Effect: "Allow"
Action:
- "secretsmanager:GetSecretValue"
Resource: "arn:aws:secretsmanager:eu-west-1:[account-number]:secret:/someService/dbAccess-abcdef"
events:
- http:
path: someLambda
method: get
private: true
cors: true
Please see the iamRoleStatements - this get’s never created when I deploy. If anyone would have an idea how to get it working, please let me know.
Whenver I create the policy manually for the Lambda it works - until then - access denied for the user to access secrets manager…
Thank you,
Tom