Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM Role Permissions Issue with Secrets Manager - Need Assistance

0

Hello AWS Community,

I hope this message finds you well. I am currently encountering challenges with IAM role permissions related to AWS Secrets Manager. Despite implementing a policy to limit access to specific secrets, the IAM role is still experiencing broader access.

Details:

Policy Information:

I have attached a policy similar to the one below to the IAM role: json Copy code { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name-1" ] } ] } Error Message:

An error is occurring when attempting to perform the ListSecrets operation: less An error occurred (AccessDeniedException) when calling the ListSecrets operation: User: arn:aws:sts::xxxxxx:assumed-role/ec2-xxxx-dev-s3-role/xxxxx is not authorized to perform: secretsmanager:ListSecrets

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access ManagementAWS Geheimnismanager
Sprache
English
Atharv
gefragt vor 6 Monaten243 Aufrufe
1 Antwort
1

The problem comes from the "Resource". If you specify a specific Resource it's because you want to perform a specific operation (or operations, indicated in the Action) over that resource. However, the ListSecrets (the same as ListBuckets in S3) lists the available secrets and, thus, it applies over all the available secrets in the account (or in that specific region in the account). Therefore, you should not indicate a specific Secret in the Resource part of the policy. Instead, you should specify that you want to access to any secret in the Resource part in the policy. For instance:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:ListSecrets",
      "Resource": "*"
    }
  ]
}

You can find more examples here: https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html

AWS
ronaldtf
beantwortet vor 6 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt