How can I resolve issues accessing an encrypted AWS Secrets Manager secret?

4 minute read
0

I want to retrieve or access an AWS Secrets Manager secret, but I receive an error.

Resolution

If you can't retrieve or access a Secrets Manager secret, then you might see one of the following errors: 

  • "You can't access a secret from a different AWS account if you encrypt the secret with the default KMS service key."
  • "Access to KMS is not allowed"
  • "InternalFailure"
  • "An unknown error occurred"
  • "Access to KMS is not allowed. This version of secret is not encrypted with the current KMS key."

To troubleshoot any of these errors, complete the following steps.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Verify that the secret isn't encrypted with an AWS KMS managed key when accessing a secret in another account.

AWS managed key policies can't be edited because they're read-only. However, you can view AWS Key Management Service (AWS KMS) managed key and customer managed key policies. Because AWS KMS managed key policies can't be edited, cross-account permissions can't be granted for these key policies. Secrets Manager secrets that are encrypted using an AWS KMS managed key can't be accessed by other AWS accounts.

For cross accounts, verify that the identity-based policy and resource-based policy allows the principal to access the AWS KMS key.

The identity policy should allow the principal to access the AWS KMS key, similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:Region:AccountID:key/EncryptionKey"
    }
  ]
}

The resource-based policy should allow the principal to access the AWS KMS key, similar to the following:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::AccountID:user/UserName",
      "arn:aws:iam::AccountID:role/RoleName"
    ]
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

After the AWS KMS key is updated, verify that the secret is encrypted with the new AWS KMS key.

Updating the AWS KMS key associated with a Secrets Manager secret using the AWS CLI doesn't re-encrypt current or previous versions of the secret with the new KMS key. This means that external accounts, also called cross-accounts, can't access the secret because the secret hasn't been re-encrypted with the new AWS KMS key. You must re-encrypt the secret using the new AWS KMS key to retrieve the secret value from the cross-account.

Note: Using the Secrets Manager console to change the AWS KMS key associated with a secret by default creates a new version of the secret and encrypts it with the new AWS KMS key. For more information, see Secret encryption and decryption in AWS Secrets Manager.

Re-encrypt the secret with the new AWS KMS key.

Follow these steps to re-encrypt the secret with the new AWS KMS key using the AWS Management Console or the AWS CLI.

AWS Management Console

1.    Open the Secrets Manager console.

2.    In Secret name, choose your secret.

3.    Choose Actions, and then choose dropdown list, select the AWS KMS key, select the check box for Create new version of secret with new encryption key, and then choose Save.

AWS CLI

Follow these steps from the source account where the secret resides.

1.    Run the AWS CLI command get-secret-value similar to the following:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --query SecretString --output text

    {"CrossAccount":"DefaultEncryption"}

2.    Create a file named creds.txt.

$ cat creds.txt

    {"CrossAccount":"DefaultEncryption"}

3.    Run the AWS CLI update-secret command to re-encrypt the encryption key similar to the following:

.    Note: If you use a customer managed key, you must also have kms:GenerateDataKey and kms:Decrypt permissions on the key.

$ aws secretsmanager update-secret --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --secret-string file://creds.txt

    {
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:cross-account",
    "Name": "cross-account",
    "VersionId": "f68246e8-1cfb-4c3b-952b-17c9298d3462"
    }

4.    Run the AWS CLI command get-secret-value from the cross-account similar to the following:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --version-stage AWSCURRENT --profile

    {"CrossAccount":"DefaultEncryption"}

Related information

How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts

How do I share AWS Secrets Manager secrets between AWS accounts?

Permissions to AWS Secrets Manager secrets for users in a different account

AWS OFFICIAL
AWS OFFICIALUpdated a year ago