Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Issue with cross account access with Secrets Manager

0

Hi, I have a secret in account 111111111111 and I'm trying to access it from account 222222222222.

To do this I followed this tutorial https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

I have this policy attached to a role called my-super-role

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ "secretsmanager:GetSecretValue" ], 
            "Resource": [ "arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret" ] 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ "kms:Decrypt" ], 
            "Resource": [ "arn:aws:kms:sa-east-1:111111111:key/random-uuid" ] 
        } 
    ] 
}

and this resource policy in the secret mysecret

{ 
    "Version": "2012-10-17",
    "Statement": [ 
        { 
            "Effect" : "Allow", 
            "Principal" : { 
                "AWS" : "arn:aws:iam::222222222:role/my-super-role" 
            }, 
            "Action" : "secretsmanager:GetSecretValue", 
            "Resource" : "*" 
        } 
    ] 
}

and I get the error

 User: arn:aws:sts::222222222:assumed-role/my-super-role/i-xxxxxxxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret because no resource-based policy allows the secretsmanager:GetSecretValue action

I've also specified the ARN of the secret in the resource policy of itself and that didn't change anything

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Servizio di gestione delle chiavi AWSGestione identità e accesso AWSInterfaccia a riga di comando AWSGestore AWS SecretsPolitiche IAM
Lingua
English
Alexis
posta 10 mesi fa293 visualizzazioni
3 Risposte
0

Hi Gary, thanks for the quick answer.

I have this policy in my KMS key

{
    "Version": "2012-10-17",
    "Id": "some-id",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::arn:aws:iam::222222222:role/my-super-role"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

along many others statements that come by default when you create a new key. could it be that the problem?

Alexis
con risposta 10 mesi fa
  • Gary Mclean ESPERTO
    10 mesi fa

    I think I see the issue now. Silly me. You assuming a role.

  • Gary Mclean ESPERTO
    10 mesi fa

    Created new answer.

0

Try updating the resource policy’s in account 111111111 to use this principle arn:aws:sts::222222222:assumed-role/my-super-role/I-xxxxxxxxxxx

On KMS and Secret policy

Instead of the iam principal

profile picture
ESPERTO
Gary Mclean
con risposta 10 mesi fa
  • Alexis
    10 mesi fa

    But wouldn't be a problem if another instance assumes the role? Unless I use arn:aws:sts::222222222:assumed-role/my-super-role/i-*

0

I don’t see a resource policy for the KMS key in account 1111111111 to allow the role from account 2222222222 to decrypt. Step 2 from your link.

Could this be the reason?

profile picture
ESPERTO
Gary Mclean
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente