Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Issue with cross account access with Secrets Manager

0

Hi, I have a secret in account 111111111111 and I'm trying to access it from account 222222222222.

To do this I followed this tutorial https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

I have this policy attached to a role called my-super-role

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ "secretsmanager:GetSecretValue" ], 
            "Resource": [ "arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret" ] 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ "kms:Decrypt" ], 
            "Resource": [ "arn:aws:kms:sa-east-1:111111111:key/random-uuid" ] 
        } 
    ] 
}

and this resource policy in the secret mysecret

{ 
    "Version": "2012-10-17",
    "Statement": [ 
        { 
            "Effect" : "Allow", 
            "Principal" : { 
                "AWS" : "arn:aws:iam::222222222:role/my-super-role" 
            }, 
            "Action" : "secretsmanager:GetSecretValue", 
            "Resource" : "*" 
        } 
    ] 
}

and I get the error

 User: arn:aws:sts::222222222:assumed-role/my-super-role/i-xxxxxxxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret because no resource-based policy allows the secretsmanager:GetSecretValue action

I've also specified the ARN of the secret in the resource policy of itself and that didn't change anything

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
AWS-SchlüsselverwaltungsserviceAWS Identity and Access ManagementAWS BefehlszeilenschnittstelleAWS GeheimnismanagerIAM-Richtlinien
Sprache
English
Alexis
gefragt vor 10 Monaten293 Aufrufe
3 Antworten
0

Hi Gary, thanks for the quick answer.

I have this policy in my KMS key

{
    "Version": "2012-10-17",
    "Id": "some-id",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::arn:aws:iam::222222222:role/my-super-role"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

along many others statements that come by default when you create a new key. could it be that the problem?

Alexis
beantwortet vor 10 Monaten
  • Gary Mclean EXPERTE
    vor 10 Monaten

    I think I see the issue now. Silly me. You assuming a role.

  • Gary Mclean EXPERTE
    vor 10 Monaten

    Created new answer.

0

Try updating the resource policy’s in account 111111111 to use this principle arn:aws:sts::222222222:assumed-role/my-super-role/I-xxxxxxxxxxx

On KMS and Secret policy

Instead of the iam principal

profile picture
EXPERTE
Gary Mclean
beantwortet vor 10 Monaten
  • Alexis
    vor 10 Monaten

    But wouldn't be a problem if another instance assumes the role? Unless I use arn:aws:sts::222222222:assumed-role/my-super-role/i-*

0

I don’t see a resource policy for the KMS key in account 1111111111 to allow the role from account 2222222222 to decrypt. Step 2 from your link.

Could this be the reason?

profile picture
EXPERTE
Gary Mclean
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt