Lambda的AWS Secrets Manager调用返回null / none

时间:2019-10-15 21:31:16

标签: amazon-web-services aws-lambda aws-kms aws-secrets-manager

我正在使用AWS Lambda函数调用AWS Secrets Manager来检索秘密值,但它仅返回值None / Null。

这是我的代码:

# Secrets Manager
import boto3
import base64
from botocore.exceptions import ClientError


def lambda_handler(event, context):
    # Secrets Manager
    def get_secret():

        secret_name = "arn:aws:secretsmanager:region:accountid:secret:full-secret-name"
        region_name = "region"

        # Create a Secrets Manager client
        session = boto3.session.Session()
        client = session.client(
            service_name='secretsmanager',
            region_name=region_name
        )

        # Only handle the specific exceptions for the 'GetSecretValue' API.
        # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
        # We rethrow the exception by default.

        try:
            get_secret_value_response = client.get_secret_value(
                SecretId=secret_name
            )
        except ClientError as e:
            if e.response['Error']['Code'] == 'DecryptionFailureException':
                # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
                # Deal with the exception here, and/or rethrow at your discretion.
                raise e
            elif e.response['Error']['Code'] == 'InternalServiceErrorException':
                # An error occurred on the server side.
                # Deal with the exception here, and/or rethrow at your discretion.
                raise e
            elif e.response['Error']['Code'] == 'InvalidParameterException':
                # You provided an invalid value for a parameter.
                # Deal with the exception here, and/or rethrow at your discretion.
                raise e
            elif e.response['Error']['Code'] == 'InvalidRequestException':
                # You provided a parameter value that is not valid for the current state of the resource.
                # Deal with the exception here, and/or rethrow at your discretion.
                raise e
            elif e.response['Error']['Code'] == 'ResourceNotFoundException':
                # We can't find the resource that you asked for.
                # Deal with the exception here, and/or rethrow at your discretion.
                raise e
        else:
            # Decrypts secret using the associated KMS CMK.
            # Depending on whether the secret is a string or binary, one of these fields will be populated.
            if 'SecretString' in get_secret_value_response:
                secret = get_secret_value_response['SecretString']
            else:
                decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])

    secretValue = get_secret()
    print(secretValue)
    return secretValue

作为回报,我得到null,而在印刷品中得到None。不太确定我在这里做错了什么,但是它不会出错,也无法获得我的价值。

机密已加密,但是Lambda IAM角色具有KMS密钥的使用权限,并且KMS密钥也已授予IAM角色使用权限。

我也尝试过将secret_name设置为Secrets Name,就像这样:

secret_name = "full-secret-name-no-arn"

致谢

2 个答案:

答案 0 :(得分:1)

分辨率:

# Secrets Manager
import json
import boto3
import base64
import logging
from botocore.exceptions import ClientError

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    logger.info("Inside lambda_handler...")

    # SecretsManager
    secretValues = json.loads(get_secret())

def get_secret():
    logger.info("Inside get_secret...")
    secret_name = "full-arn-goes-here"
    region_name = "region-goes-here"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name

    )

    try:
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
        logger.info("Received Response")
    except ClientError as e:
        if e.response['Error']['Code'] == 'DecryptionFailureException':
            # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InternalServiceErrorException':
            # An error occurred on the server side.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            # You provided an invalid value for a parameter.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            # You provided a parameter value that is not valid for the current state of the resource.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
        elif e.response['Error']['Code'] == 'ResourceNotFoundException':
            # We can't find the resource that you asked for.
            # Deal with the exception here, and/or rethrow at your discretion.
            raise e
    else:
        # Decrypts secret using the associated KMS CMK.
        # Depending on whether the secret is a string or binary, one of these fields will be populated.
        if 'SecretString' in get_secret_value_response:
            logger.info("Inside string response...")
            return get_secret_value_response['SecretString']
        else:
            logger.info("Inside binary response...")
            return base64.b64decode(get_secret_value_response['SecretBinary'])

只需将secretValues = json.loads(get_secret())放入处理程序中即可。

答案 1 :(得分:0)

您的get_secret()没有return语句

相关问题
最新问题