IAM Policy for aws secrets manager not working

Question

We would like to restrict the via tags or any other way for our developers to access only limited secrets via aws secrets manager. 
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "secretsmanager:GetResourcePolicy",
            "secretsmanager:GetSecretValue",
            "secretsmanager:DescribeSecret",
            "secretsmanager:ListSecretVersionIds"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "secretsmanager:ResourceTag/ServerName": "ServerABC"
            }
        }
    }
}
The error is below:
Failed to fetch a list of secrets.

Answer

Hi,

Have a look at "Controlling access based on tag keys" on https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

The proper syntax is to use aws:TagKeys :https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys

Your used `"secretsmanager:ResourceTag/ServerName" `

See their example:

```
{
        "Effect": "Allow",
        "Action": [
            "secretsmanager:CreateSecret",
            "secretsmanager:TagResource"
        ],
        "Resource": "*",
        "Condition": {
            "Null": {
                "aws:TagKeys": "false"
            },
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "environment",
                    "cost-center"
                ]
            }
        }
}
```

Best,
Didier

IAM Policy for aws secrets manager not working

Relevanter Inhalt