Lambda rotation function execution role permissions for Amazon Secrets Manager - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Lambda rotation function execution role permissions for Amazon Secrets Manager

For Rotation by Lambda function, when Secrets Manager uses a Lambda function to rotate a secret, Lambda assumes an IAM execution role and provides those credentials to the Lambda function code. For instructions about how to set up automatic rotation, see:

The following examples show inline policies for Lambda rotation function execution roles. To create an execution role and attach a permissions policy, see Amazon Lambda execution role.

Policy for a Lambda rotation function execution role

The following example policy allows the rotation function to:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "SecretARN" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" }, { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*", "Effect": "Allow" } ] }

Policy statement for customer managed key

If the secret is encrypted with a KMS key other than the Amazon managed key aws/secretsmanager, then you need to grant the Lambda execution role permission to use the key. You can use the SecretARN encryption context to limit the use of the decrypt function, so the rotation function role only has access to decrypt the secret it is responsible for rotating. The following example shows a statement to add to the execution role policy to decrypt the secret using the KMS key.

{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "KMSKeyARN" "Condition": { "StringEquals": { "kms:EncryptionContext:SecretARN": "SecretARN" } } }

To use the rotation function for multiple secrets that are encrypted with a customer managed key, add a statement like the following example to allow the execution role to decrypt the secret.

{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "KMSKeyARN" "Condition": { "StringEquals": { "kms:EncryptionContext:SecretARN": [ "arn1", "arn2" ] } } }

Policy statement for alternating users strategy

For information about the alternating users rotation strategy, see Lambda function rotation strategies.

For a secret that contains Amazon RDS credentials, if you are using the alternating users strategy and the superuser secret is managed by Amazon RDS, then you must also allow the rotation function to call read-only APIs on Amazon RDS so that it can get the connection information for the database. We recommend you attach the Amazon managed policy AmazonRDSReadOnlyAccess.

The following example policy allows the function to:

  • Run Secrets Manager operations for SecretARN.

  • Retrieve the credentials in the superuser secret. Secrets Manager uses the credentials in the superuser secret to update the credentials in the rotated secret.

  • Create a new password.

  • Set up the required configuration if your database or service runs in a VPC. For more information, see Configuring a Lambda function to access resources in a VPC.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": "SecretARN" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "SuperuserSecretARN" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" }, { "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*", "Effect": "Allow" } ] }