fix: Add secrets access to Lambda functions

Author: clareliguori

DEVELOP.md

@@ -9,7 +9,7 @@ and using an example chatbot client to communicate with those Lambda-based MCP s
 The example chatbot client will communicate with ten servers:
 
 1. **dad-jokes**: Ask "Tell me a good dad joke."
-2. **dog-facts**: Ask "Tell me something about dogs."
+2. **dog-facts**: Ask "Tell me something about golden retrievers."
 3. **book-search**: Ask "Who wrote the book Pride and Prejudice?"
 4. **dictionary**: Ask "How do you pronounce the word 'onomatopoeia'?"
 5. **zen**: Ask "Tell me the inspirational quote of the day."
@@ -56,6 +56,11 @@ aws iam attach-role-policy \
   --role-name mcp-lambda-example-servers \
   --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
 
+aws iam put-role-policy \
+  --role-name mcp-lambda-example-servers \
+  --policy-name secret-access \
+  --policy-document file://examples/servers/lambda-function-role-policy.json
+
 aws iam create-role \
   --role-name mcp-lambda-example-agentcore-gateways \
   --assume-role-policy-document file://examples/servers/bedrock-agentcore-gateway-assume-role-policy.json

e2e_tests/setup/integ-test-authentication.yaml

@@ -175,6 +175,21 @@ Resources:
             Principal:
               Service: lambda.amazonaws.com
 
+  LambdaSecretsAccessPolicy:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: mcp-lambda-example-servers-secret-access
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - "secretsmanager:GetSecretValue"
+            Resource:
+              - "*"
+      Roles:
+        - !Ref LambdaFunctionsRole
+
   BedrockAgentCoreGatewaysRole:
     Type: AWS::IAM::Role
     Properties:

examples/servers/lambda-function-role-policy.json

@@ -0,0 +1,11 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "GetSecretValue",
+            "Effect": "Allow",
+            "Action": ["secretsmanager:GetSecretValue"],
+            "Resource": "*"
+        }
+    ]
+}

pipeline/src/pipeline-stack.ts

@@ -143,6 +143,7 @@ export class McpServersPipelineStack extends cdk.Stack {
               // Create IAM role if it doesn't exist
               `aws iam create-role --role-name mcp-lambda-example-servers --assume-role-policy-document file://examples/servers/lambda-assume-role-policy.json || true`,
               `aws iam attach-role-policy --role-name mcp-lambda-example-servers --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole || true`,
+              `aws iam put-role-policy --role-name mcp-lambda-example-servers --policy-name secret-access --policy-document file://examples/servers/lambda-function-role-policy.json || true`,
               "cd examples/servers/auth",
               "npm install",
             ],