Using a Secrets Manager in an AWS Lambda Function in a Private Network | by Teri Radichel | Cloud Security | September 2023


ACM.317 Lack of sufficient logging and generic error messages complicates troubleshooting Lambda timeouts

Part of my series on Automation of cybersecurity measures. Lambda. Internet Security. GitHub Security. Container security. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I added a personal access token in GitHub and granted access from NAT to my private network by adding the AWS Elastic IP address for NAT in the GitHub organization security settings .

In this article, I want to access Secrets Manager in an AWS Lambda function in a private network. I originally thought I would retrieve the secret and clone the repository in a single message, but it turns out that AWS has made troubleshooting Lambda functions quite complicated due to the lack of sufficient error messages. I have some recommendations for fixing these messages at the bottom, but in the meantime you can see how I fixed the problem here.

I have already added permission for the Lambda function execution role to access the secret.

Make sure the Lambda role includes permission to read the secret

Remember that I added permission to view a secret in the Lambda execution role, but only if a secret is required.

Take a look at the policy in the AWS console and it looks like the role was not deployed with the optional secret permissions.

Leave a comment