How do I troubleshoot a 400 status code when I use Secrets Manager in AWS Glue?
I want to troubleshoot an "Access Denied Exception" error code that I receive when I run the get-secret-value command on an AWS Glue resource.
Short description
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Your AWS Identity and Access Management (IAM) role for AWS Glue must have the required secretsmanager:GetSecretValue permission to retrieve credentials. If you run the get-secret-value command when you don't have the necessary permissions, then AWS Secrets Manager displays the following error message:
"com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException: User: arn:aws:sts::111122223333:assumed-role/glue-role/GlueJobRunnerSession is not authorized to perform: secretsmanager:GetSecretValue on resource: because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException"
Resolution
Add the following policy to your IAM role that includes the secretsmanager:GetSecretValue permission:
`{` `"Version": "2012-10-17",` `"Statement": [` `{` `"Sid": "VisualEditor0",` `"Effect": "Allow",` `"Action": "secretsmanager:GetSecretValue",` `"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:examplesecretkeyname"` `}` `]` `}`
Note: Replace the example resource's ARN with the secret key ARN of your AWS Glue resource.
Relevant content
asked 3 years ago
