如何在SecretsManager文件中分配AWS CloudFormation策略？

Question

我正在用AWS、API和RDS (MySQL)开发REST。我正在使用Node.js。

为了确保数据库凭据的安全，我访问了AWS Web控制台并创建了一个新的秘密。

现在我需要在我的Lambda函数中访问这些。我知道我必须分配SecretsManagerReadWrite权限，但我不知道该如何做。

下面是我的CloudFormation配置文件。

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi
  

    # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
    Globals:
      Function:
        Timeout: 100
        VpcConfig:
            SecurityGroupIds:
              - sg-041f2455252528e
            SubnetIds:
              - subnet-0385252525
    
    Resources:
      GetAllAccountingTypesFunction:
        Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
        Properties:
          CodeUri: aaaa-restapi/
          Handler: accountingtypes-getall.getallaccountingtypes
          Runtime: nodejs14.x
          Events:
            HelloWorld:
              Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
              Properties:
                Path: /accountingtypes/getallaccountingtypes
                Method: get
      
    
      LambdaRole:
        Type: 'AWS::IAM::Role'
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - lambda.amazonaws.com
                Action:
                  - 'sts:AssumeRole'
          Path: /
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
          Policies:
            - PolicyName: root
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: Allow
                    Action:
                      - ec2:DescribeNetworkInterfaces
                      - ec2:CreateNetworkInterface
                      - ec2:DeleteNetworkInterface
                      - ec2:DescribeInstances
                      - ec2:AttachNetworkInterface
                    Resource: '*'
    
    Outputs:
      # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
      # Find out more about other implicit resources you can reference within SAM
      # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
      HelloWorldApi:
        Description: "API Gateway endpoint URL for Prod stage for functions"
        Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"

在这个文件中，我如何给予我的Lambda函数的权限？

Answer 1

基于这些评论。

通常的方法是访问lambda函数中的秘密值。这需要授予权限访问秘密的lambda执行角色。

在CloudFormation模板中，可以将秘密名称(而不是其值)作为环境变量传递给lambda函数。