AWS Console error: "Failed to get the secret value" when pressing 'Retrieve Secret Value'

Question

I get error "Failed to get the secret value" when pressing 'Retrieve Secret Value'  
![Retrieve Secret Value](/media/postImages/original/IM-EypxvAdSaetLp0XXW80gg)

I am not an IAM user with a role, but logged in as an IAM-identity-center user.

My group has a permission-set containing the AWS-managed policy `SecretsManagerReadWrite`.

The resource policy of the secret is set to deny all requests not coming from a specified VPCE (e.g. `vpce-myvpce`) as follows:
```
{
  "Version" : "2012-10-17",
  "Id" : "pl-sm_ev_vpce_ecs_sr",
  "Statement" : [ {
    "Sid" : "RestrictGetSecretValueoperation",
    "Effect" : "Deny",
    "Principal" : "*",
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*",
    "Condition" : {
      "StringNotEquals" : {
        "aws:sourceVpce" : "vpce-myvpce"
      }
    }
  } ]
}
```

How should I modify this policy in order to allow myself access to my secrets via the AWS Console, i.e. view and edit the key/value pairs?

Riku_Kobayashi · Accepted Answer

Hello.

How about setting the IAM role used by IAM-identity-center in the same account as SecretsManager as an exception, as shown below?  
```
{
  "Version" : "2012-10-17",
  "Id" : "pl-sm_ev_vpce_ecs_sr",
  "Statement" : [ {
    "Sid" : "RestrictGetSecretValueoperation",
    "Effect" : "Deny",
    "Principal" : "*",
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*",
    "Condition" : {
      "StringNotEquals" : {
        "aws:sourceVpce" : "vpce-myvpce",
        "aws:PrincipalArn" : [ 
          "arn:aws:iam::your-account-id:role/aws-reserved/sso.amazonaws.com/your-iam-identity-center-region/AWSReservedSSO_Role"
        ]
      }
    }
  } ]
}
```

AWS Console error: "Failed to get the secret value" when pressing 'Retrieve Secret Value'

Añade tu respuesta

Contenido relevante