Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Access to KMS is not allowed when User Permission changes

0

Hi,

I created a new encryption key and gave user access to aws-elasticbeanstalk-ec2-role. Then, I created a Secret Manager and set the new encryption key as the one for the secret. Then I deployed the example code to elastic beanstalk and test it and all worked just fine.

Then I removed IAMFullAccess permission for my user and test it again but I got the following error message:
"An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed "

Then a added the IAMFullAccess permission and it worked again. It is important to say that other users have PowerUserAccess and IAMFullAccess so they can see everything.

Please tell me why is this happening and what can I do to use secret without having IAMFullAccess permission in my user.

Tópicos
Segurança, identidade e conformidade
Tags
AWS Key Management Service
Idioma
English
bochagavia
feita há 6 anos7343 visualizações
4 Respostas
0

HI
You create your inline policy according to your need for the user or role and attach it if the required access is not present in the default aws roles / policies.

MuthukumarSiva
respondido há 6 anos
0

Hi,
Thank you for your answer.
It is important to notice that the error message: "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed" appears when trying to access to the secret from elastic beanstalk machine.
I gave aws-elasticbeanstalk-ec2-role IAMFullAccess permission and removed it from my user permissions and the same error appears.
What I want to achieve is the secret to be accessible from an elastic beanstalk machine but not from my user in the aws console.
any ideas?

bochagavia
respondido há 6 anos
0

An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed

The same error i'm getting when calling secretsmanager form python sdk, while in CLI working fine.

MilanTyagi
respondido há 5 anos
0

Hello,
It appears that you have chosen to encrypt secrets with a AWS KMS customer master key (CMK). In such scenarios, you must provide permissions to decrypt using the CMK. This is in addition to the Secrets Manager permissions required to retrieve the secret. See KMS documentation on authorizing use of CMK with Secrets Manager for details: https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html
--Apurv

AWS-User-7689511
respondido há 5 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante