Secret Manager : Access Denied / no identity-based policy

Question

we are implementing Secret Manager in our application.Created below Policy and Role in AWS side

**Policy:**
AWS-SecretManager-ReadOnly-Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:GetRandomPassword",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "arn:aws:secretsmanager:us-east-1::secret:*"
        }
    ]
}

**Role:**
AWS-SecretManagerRole-lmw-access-secret
	-attach the policy ( AWS-SecretManager-ReadOnly-Policy )

**Log Details:**
But while accessing from appliation, getting below error

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [void]: Factory method 'main1' threw exception; nested exception is com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException:

User: arn:aws:sts:::assumed-role/custrole-NodeInstanceRole/i-06f00c2bb81db96ed is not authorized to perform:

secretsmanager:GetSecretValue on resource: lmw/auth-secret because no identity-based policy allows the secretsmanager:GetSecretValue action

(Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: d4ebee58-201a-462b-bff8-f815bb0fb6bb)

Answer

I see the assumed role is "User: arn:aws:sts:::assumed-role/custrole-NodeInstanceRole/i-06f00c2bb81db96ed" which doesnt has access to secrets, the assumed role should be the one that you created which is Role: AWS-SecretManagerRole-lmw-access-secret -attach the policy ( AWS-SecretManager-ReadOnly-Policy )
Is the secret being accessed from another account? This document may help to troubleshoot.
https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-cross-account-key/

Answer

Hello There,

I have gone through case notes and understand that you are getting an error named "secretsmanager:GetSecretValue on resource: lmw/auth-secret because no identity-based policy allows the secretsmanager:GetSecretValue action".

From my analysis this access denied errors occurs if you have not setup up the required identity based policy correctly.
From your case notes the example shows that this is a cross account setup where the secret manager (with secret ) is in one account(account a ) and the user/app is  assuming a specific role is another account (account B) to get these secrets.[1]

your current setup :
1)In your case you have Secrets Manager in Account-A
2) your user/app assuming the role in  an IAM role  in Account-B

So possible steps to resolve this issue is that the secret in Account-A needs a "Secret Key Resource Policy" that permits access from Role-B . Also the Role in account B must be given permission to access the Secret in Account-A.[1]

A sample role in your account B:
{ 
"Version": "2012-10-17",
 "Statement": [ 
{ 
"Sid": "VisualEditor0", 
"Effect": "Allow",
 "Action": [ 
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue", 
"secretsmanager:DescribeSecret", 
"secretsmanager:GetRandomPassword",
], 
"Resource": "arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}" 
},
{
    "Effect": "Allow",
    "Action": [
      " secretsmanager:ListSecrets",
      “secretsmanager:ListSecretVersionIds”,
    ],
    "Resource": "*"
  },
{
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:Region:Account1:key/"
    }

]
 }

add a  sample statement in  the EncryptionKey's  policy for  account A :(this  allows the account B's  role to perform encrypt and decrypt operations using  kms key in account A.)
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::Account-B:role/"
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

A sample policy for resource based policy for secrets manager (account-A):( In the principal section add the arn of the  role  from account b)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Account-B:role/"
      },
      "Action": [
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "*"
},
{.    "Effect": "Allow",
      "Principal": {
       "AWS": "arn:aws:iam::Account-B:role/"},
       "Action":[ 
"secretsmanager:GetResourcePolicy",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue"
],
 "Resource": "arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}"
    }

]
}

Note :  add the complete ARN of the respective secret present in account with Account-A including the dash and the six random alphanumeric characters then try accessing the secret using the ‘get-secret-value’[3] command and confirm if you are able to retrieve the secret successfully. You can find the ARN for a secret in the Secrets Manager console on the secret details page or by calling DescribeSecret.[4]

You can References this documentation for references for cross account access for secret manager:
[1]https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html
[2] https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
[3]get-secret-value - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/get-secret-value.html#examples  
[4]DescribeSecret - https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html

I would like to add that if  you are still unable to resolve the access denied errors ,To better your answer your query, we require details that are non-public information. 
Please open a support case with AWS using the following link:
https://console.aws.amazon.com/support/home#/case/create

Secret Manager : Access Denied / no identity-based policy

Relevant content