iamRoleStatements not created to access Secrets Manager from Lambda

aws
lambda

#1

Hello community,

I was hoping to find an answer here as I have struggled long enough and searched for an answer, or better yet for a docs, which would guide me to correctly set up a iamRoleStatements for a Lambda function which needs to read credentials from Secrets Manager on AWS and use that to connect to DB. Unfortunately when I deploy the service, the IAM policy is not created.

Here is a part of the serverless.yml:

service: SomeService

plugins:
  - serverless-webpack
  - serverless-offline

custom:
  webpackIncludeModules: true

provider:
  deploymentBucket:
    name: kvikymart-code
  name: aws
  runtime: nodejs8.10
  region: eu-west-1
  stage: ${opt:stage, 'dev'}
  tags:
    Project: Some Service
  apiKeys:
    - ${opt:stage}-someServiceAPIKey
  environment:
    SERVICE_STAGE: ${self:provider.stage}
    SECRET_ID: ${file(./constants.yml):SECRET_ID}
    REGION: ${file(./constants.yml):REGION}

functions:
  someLambda:
    handler: api/getDataFromDatabase.main
    description: Description.
    memorySize: 128
    vpc:
      securityGroupIds:
        - sg-xxxxx # Allow VPC Endpoints
        - sg-xxxxx # Allow PostgreSQL
      subnetIds:
        - subnet-xxxx # eu-west-1a
        - subnet-xxxx # eu-west-1b
        - subnet-xxxx # eu-west-1c
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - "secretsmanager:GetSecretValue"
        Resource: "arn:aws:secretsmanager:eu-west-1:[account-number]:secret:/someService/dbAccess-abcdef"
    events:
      - http:
          path: someLambda
          method: get
          private: true
          cors: true

Please see the iamRoleStatements - this get’s never created when I deploy. If anyone would have an idea how to get it working, please let me know.

Whenver I create the policy manually for the Lambda it works - until then - access denied for the user to access secrets manager…

Thank you,

Tom


#2

You need to use the serverless-iam-roles-per-function plugin if you want to set the IAM roles at the function. By default the IAM roles need to be put in the provider and apply to all functions.