Lambda rotation function execution role permissions for AWS Secrets Manager
For Rotation by Lambda function, when Secrets Manager uses a Lambda function to rotate a secret, Lambda assumes an IAM execution role and provides those credentials to the Lambda function code. For instructions about how to set up automatic rotation, see:
The following examples show inline policies for Lambda rotation function execution roles. To create an execution role and attach a permissions policy, see AWS Lambda execution role.
Examples:
Policy for a Lambda rotation function execution role
The following example policy allows the rotation function to:
-
Run Secrets Manager operations for
SecretARN
. -
Create a new password.
-
Set up the required configuration if your database or service runs in a VPC. See Configuring a Lambda function to access resources in a VPC.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "
SecretARN
" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" }, { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*", "Effect": "Allow" } ] }
Policy statement for customer managed key
If the secret is encrypted with a KMS key other than the AWS managed key
aws/secretsmanager
, then you need to grant the Lambda execution role permission to use the key. You can use the SecretARN encryption context to limit the use of the decrypt function, so the rotation function role only has access to decrypt the secret it is responsible for rotating. The following example shows a statement to add to the execution role policy to decrypt the secret using the KMS key.
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "
KMSKeyARN
" "Condition": { "StringEquals": { "kms:EncryptionContext:SecretARN": "SecretARN
" } } }
To use the rotation function for multiple secrets that are encrypted with a customer managed key, add a statement like the following example to allow the execution role to decrypt the secret.
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "
KMSKeyARN
" "Condition": { "StringEquals": { "kms:EncryptionContext:SecretARN": [ "arn1", "arn2" ] } } }
Policy statement for alternating users strategy
For information about the alternating users rotation strategy, see Lambda function rotation strategies.
For a secret that contains Amazon RDS credentials, if you are using the alternating users strategy and the superuser secret is managed by Amazon RDS, then you must also allow the rotation function to call read-only APIs on Amazon RDS so that it can get the connection information for the database. We recommend you attach the AWS managed policy AmazonRDSReadOnlyAccess.
The following example policy allows the function to:
-
Run Secrets Manager operations for
SecretARN
. -
Retrieve the credentials in the superuser secret. Secrets Manager uses the credentials in the superuser secret to update the credentials in the rotated secret.
-
Create a new password.
-
Set up the required configuration if your database or service runs in a VPC. For more information, see Configuring a Lambda function to access resources in a VPC.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "
SecretARN
" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "SuperuserSecretARN
" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" }, { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*", "Effect": "Allow" } ] }