How do I share AWS Secrets Manager secrets between AWS accounts?

4 minute read
0

I want to share my AWS Secrets Manager secret with another AWS account.

Short description

In this example, the Security_Account user manages your credentials in account A, and the Dev_Account user is used by your developers in account B. An AWS Identity and Access Management (IAM) user or an application runs in the Amazon Elastic Compute Cloud (Amazon EC2) instance of your Dev_Account. This user or application retrieves secrets in the Security_Account user account.

Use a resource-based policy for a secret that allows you to attach a permissions policy to the secret. Use this policy to allow an IAM entity from your Dev_Account to access the secret in your Security_Account.

A secret named DevSecret in your Security_Account (account A) is encrypted with an AWS Key Management Service (AWS KMS) key DevSecretKMS. Then, the secret is shared with your Dev_Account (account B).

Note: You can't use the AWS KMS default key for the account. The AWS KMS default key is created, managed, and used on your behalf by an AWS service that runs on AWS Key Management Service. The AWS KMS default key is unique to your AWS account and AWS Region. Only the service that created the AWS managed key can use it. For more information, see AWS KMS keys.

Resolution

Configure Security_Account (account A)

Perform these steps in the Security_Account (account A) in the Region where your secret is.

1.    If you don't have a secret, then follow the instructions to create a secret. Specify the Amazon Resource Name (ARN) in the AWS KMS key ID parameter for the secret.

2.    If you have an existing secret that uses an alias, then follow the instructions to modify a secret. Specify the AWS KMS key ARN in the AWS KMS key ID parameter for the secret.

Note: You must use the full AWS KMS key ARN to access a secret from another AWS account.

3.    Grant permissions in the key policy of the AWS KMS key. Secrets Manager encrypts secrets by default. Identities that retrieve these secrets require access to decrypt them. Because DevSecret is encrypted with DevSecretKMS, you must change the key policy. To do this, add the following permissions

Note: Replace your-region with your AWS Region.

{  "Sid": "AllowUseOfTheKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "secretsmanager.your-region.amazonaws.com"
    },
    "StringLike": {
      "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret-??????"
    }
  }
}

This policy grants SecretsUser in the Dev_Account (account B) the permission to use DevSecretKMS in the Security_Account (account A).

4.    Allow the IAM entity permission to access the secret. From the Security_Account, attach a resource-based policy that grants permission for the SecretsUser to retrieve DevSecret.

Note: Replace the Principal ARN with the ARN of your IAM user or role.

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]

Configure the Dev_Account (account B)

Complete these steps in the Dev_Account (account B).

1.    Attach permissions to the IAM identity that you want to retrieve the secret. Use a policy similar to the following:

Note: Replace your-region with your AWS Region.

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetSecretValue",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret-??????"
      ]
    },
    {
      "Sid": "AllowKMSDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:your-region:Security_Account:key/DevSecretKMS_id"
      ]
    }
  ]
}

The SecretsUser must have permission to secretsmanager:GetSecretValue for the IAM user SecretsUser in Dev_Account to retrieve the secret. The AWS decrypt permissions are required for SecretsUser because DevSecret is encrypted with the DevSecretKey.

2.    Retrieve the secret as SecretsUser, similar to the following:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret --version-stage AWSCURRENT --region your-region

Note: Replace your-region with the AWS Region that the secret is in.

Use these instructions for all IAM entities. For example, for an Amazon EC2 instance profile or a role, replace or add the ARN in the resource policy. Then, edit the permissions attached to the IAM entity.

Related information

How to access secrets across AWS accounts by attaching resource-based policies

How can I resolve issues accessing an encrypted AWS Secrets Manager secret?

Permissions to AWS Secrets Manager secrets for users in a different account

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago