Create Lambda Role

Your Lambda function will need to be able to access secrets stored in AWS Secrets Manager. To enable this, you will need to create an IAM policy and role and assign the role to the Lambda function.

Each member should execute the following commands from the Cloud9 terminal.

Save the policy settings into a JSON file on the Fabric client.

cat <<EOT > ~/lambda-access-policy.json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AmbSupplyChainSecretAccess",
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetResourcePolicy",
      "secretsmanager:GetSecretValue",
      "secretsmanager:DescribeSecret",
      "secretsmanager:ListSecretVersionIds"
    ],
    "Resource": "arn:aws:secretsmanager:$AWS_DEFAULT_REGION:$MEMBER_AWS_ID:secret:amb/supplychain/*"
  }]
}
EOT

Create a policy from the JSON file and assign it to a Lambda execution role.

export POLICY_ARN=$(aws iam create-policy --policy-name AmbSupplyChainSecretAccess --policy-document file://$HOME/lambda-access-policy.json | jq -r .Policy.Arn)
aws iam create-role --role-name LambdaRoleForAmbSupplyChainSecretAccess --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
aws iam attach-role-policy --role-name LambdaRoleForAmbSupplyChainSecretAccess --policy-arn $POLICY_ARN
export POLICY_ARN=$(aws iam list-policies | jq -r ".Policies[] | select(.PolicyName == \"AWSLambdaVPCAccessExecutionRole\") | .Arn")
aws iam attach-role-policy --role-name LambdaRoleForAmbSupplyChainSecretAccess --policy-arn $POLICY_ARN