pythonamazon-web-servicesaws-lambdaaws-secrets-manageraws-devops

Testing Rotating Secret through lambda Testing

Using this as lambda function - https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRotationTemplate/lambda_function.py. giving perimeters as

{
    "SecretId": "giving arn",
    "ClientRequestToken":"giving random 32 digit number",
    "Step":"testsecret"
  
}

Giving Error:

{
  "errorMessage": "'SECRETS_MANAGER_ENDPOINT'",
  "errorType": "KeyError",
  "requestId": "##",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 17, in lambda_handler\n    service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])\n",
    "  File \"/var/lang/lib/python3.9/os.py\", line 679, in __getitem__\n    raise KeyError(key) from None\n"
  ]
}

Function Logs
START RequestId: ####### Version: $LATEST
[ERROR] KeyError: 'SECRETS_MANAGER_ENDPOINT'
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 17, in lambda_handler
    service_client = boto3.client('secretsmanager', endpoint_url=os.environ['SECRETS_MANAGER_ENDPOINT'])
  File "/var/lang/lib/python3.9/os.py", line 679, in __getitem__
    raise KeyError(key) from NoneEND RequestId:########
REPORT RequestId: #### Duration: 13.10 ms   Billed Duration: 14 ms  Memory Size: 128 MB Max Memory Used: 52 MB  Init Duration: 251.10 ms
Solution

  • You should add the missing variable to Lambda Environment parameters with Key/Value having reference toy secretsmanager endpoint in YOUR region like : SECRETS_MANAGER_ENDPOINT: https://secretsmanager.us-east-1.amazonaws.com Also Necessary changes needs to be done into Lambda policy as perarticle: https://aws.amazon.com/blogs/security/how-to-rotate-your-twitter-api-key-and-bearer-token-automatically-with-aws-secrets-manager/

    Otherwise you'll get an error like this:

        Function Logs
START RequestId: e1410eca-142f-4900-8af3-0bcf0435488a Version: $LATEST
[INFO]  2021-11-13T05:39:03.320Z    e1410eca-142f-4900-8af3-0bcf0435488a    Found credentials in environment variables.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeSecret operation: User: arn:aws:sts::995149706792:assumed-role/rotate_secret_rcloneconfig-role-namt8fbc/rotate_secret_rcloneconfig is not authorized to perform: secretsmanager:DescribeSecret on resource: arn:aws:secretsmanager:us-east-1:995149706792:secret:rclonechina-5lPcTT because no identity-based policy allows the secretsmanager:DescribeSecret action
Traceback (most recent call last):