如何添加 Secrets Manager IAM 权限?
[英]How do I add Secrets Manager IAM permission?
问题描述
I'm reading the CDK docs about the SecretsManager and I'm not sure if I've mis-understood, but what I thought would work from their example doesn't seem to grant the permission I expected.
我正在阅读有关SecretsManager的 CDK 文档,但我不确定我是否误解了,但我认为从他们的示例中可行的方法似乎并没有授予我预期的权限。 Essentially I have a stack that contains some Lambdas, and I'd like all of them to be able to Read two secrets from the SecretsManager.本质上,我有一个包含一些 Lambda 的堆栈,我希望它们都能够从 SecretsManager 中读取两个秘密。
class CdkStack extends cdk.Stack {
/**
*
* @param {cdk.Construct} scope
* @param {string} id
* @param {cdk.StackProps=} props
*/
constructor(scope, id, props) {
super(scope, id, props);
// eslint-disable-next-line no-new
new APIServices(this, "APIServices");
const role = new iam.Role(this, "SecretsManagerRead", {
assumedBy: new iam.AccountRootPrincipal(),
});
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(role);
dbWriteSecret.grantRead(role);
}
}
If I understood it correctly I should simply create this role and give it permissions to access secrets?如果我理解正确,我应该简单地创建这个角色并授予它访问机密的权限? My Lambda's still however failed when I tried to run them.然而,当我尝试运行它们时,我的 Lambda 仍然失败。 Do I need to do anything else not mentioned in the docs I was reading about assigning that role to the Lambdas explicitly too?我是否还需要做我正在阅读的文档中未提及的关于将该角色明确分配给 Lambda 的其他任何事情?
1 个解决方案
解决方案1
5 已采纳 2020-06-07 13:51:57
Depending on your actual context there are two possible variants.根据您的实际情况,有两种可能的变体。
1. Import existing role 1.导入现有角色
If the Lambda function has been predefined (eg in a different stack), you can add the additional permissions to the existing Lambda execution role by importing it into this CDK stack first.如果 Lambda function 已预定义(例如在不同的堆栈中),您可以通过首先将其导入此 CDK 堆栈来将附加权限添加到现有的 Lambda 执行角色。
class CdkStack extends cdk.Stack {
constructor(scope, id, props) {
// ...
// Import the existing role into the stack
const roleArn = 'arn:aws:iam::123456789012:role/MyExistingLambdaExecutionRole'
const role = iam.Role.fromRoleArn(this, 'Role', roleArn, {
mutable: true,
});
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(role);
dbWriteSecret.grantRead(role);
}
}
For more information regarding the usage of the aws-iam CDK module, here's the link to the documentation .有关使用aws-iam CDK 模块的更多信息, 请参阅文档链接。 Here , you can learn more about the Lambda Execution Role itself. 在这里,您可以了解有关 Lambda 执行角色本身的更多信息。
2. Lambda function defined as part of stack 2. Lambda function 定义为堆栈的一部分
If the lambda function has been defined somewhere in this stack, you can simply attach the permissions to the Lambda function through its reference using dbReadSecret.grantRead(lambda.role) and dbWriteSecret.grantRead(lambda.role) respectively. If the lambda function has been defined somewhere in this stack, you can simply attach the permissions to the Lambda function through its reference using dbReadSecret.grantRead(lambda.role) and dbWriteSecret.grantRead(lambda.role) respectively.
class CdkStack extends cdk.Stack {
constructor(scope, id, props) {
// ...
// Create the function or retrieve the reference if
// it has been defined somewhere else in the stack
const lambda = ...
const dbReadSecret = new secretsmanager.Secret(this, "databaseReader");
const dbWriteSecret = new secretsmanager.Secret(this, "databaseWriter");
dbReadSecret.grantRead(lambda.role);
dbWriteSecret.grantRead(lambda.role);
}
}
Please have a look at the answer to this question for reference.请查看此问题的答案以供参考。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.