从 lambda 函数中访问 AWS API？

Question

I'm writing my first lambda function (in Python), and I'm a little confused about how credentials are supposed to work in the lambda environment. I'm trying to retrieve a secret (for Aurora database access) from the aws secrets api, using their example code which looks something like this (I've stripped out all the error handling for brevity):

def get_secret():
    secret_name = 'dbtest-postgres-secret'
    region_name = 'us-east-2'

    session = boto3.session.Session()                                                                                                                                                          
    client = session.client(                                                                                                                                                                   
        service_name='secretsmanager',                                                                                                                                                         
        region_name=region_name                                                                                                                                                                
    )                                                                                                                                                                                          

    get_secret_value_response = client.get_secret_value(                                                                                                                                   
        SecretId=secret_name                                                                                                                                                               
    )                                                                                                                                                                                      

    secret = get_secret_value_response['SecretString']

    return secret

This works fine locally in an environment in which I have my normal AWS credentials, but returns None without raising any errors when running as part of a lambda function. I'm using it like this:

def handler(event, context):
    secret = get_secret()
    assert secret is not None

And it's failing at that assert statement:

{
  "errorType": "AssertionError",
  "stackTrace": [
    "  File \"/var/task/dbtest.py\", line nn, in handler\n    assert secret is not None\n"
  ]
}

I assumed that by assigning a role to the lambda function with appropriate permissions ( AmazonRDSDataFullAccess , which includes permissions to access the secrets manager) that everything would be set. Do I need to provide explicit credentials (eg, an access key and secret) to the lambda function?

Answer 1

You do not need to give explicit credentials, the lambda will get the credentials from the role you assigned to it. What is the secret you are asking for, because the AmazonRDSDataFullAccess only has access to secrets at rds-db-credentials/* .