By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue with cross account access with Secrets Manager

0

Hi, I have a secret in account 111111111111 and I'm trying to access it from account 222222222222.

To do this I followed this tutorial https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html

I have this policy attached to a role called my-super-role

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": [ "secretsmanager:GetSecretValue" ], 
            "Resource": [ "arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret" ] 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ "kms:Decrypt" ], 
            "Resource": [ "arn:aws:kms:sa-east-1:111111111:key/random-uuid" ] 
        } 
    ] 
}

and this resource policy in the secret mysecret

{ 
    "Version": "2012-10-17",
    "Statement": [ 
        { 
            "Effect" : "Allow", 
            "Principal" : { 
                "AWS" : "arn:aws:iam::222222222:role/my-super-role" 
            }, 
            "Action" : "secretsmanager:GetSecretValue", 
            "Resource" : "*" 
        } 
    ] 
}

and I get the error

 User: arn:aws:sts::222222222:assumed-role/my-super-role/i-xxxxxxxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:sa-east-1:111111111:secret:mysecret because no resource-based policy allows the secretsmanager:GetSecretValue action

I've also specified the ARN of the secret in the resource policy of itself and that didn't change anything

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Key Management ServiceAWS Identity and Access ManagementAWS Command Line InterfaceAWS Secrets ManagerIAM Policies
Language
English
Alexis
asked 9 months ago282 views
3 Answers
0

Hi Gary, thanks for the quick answer.

I have this policy in my KMS key

{
    "Version": "2012-10-17",
    "Id": "some-id",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::arn:aws:iam::222222222:role/my-super-role"
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

along many others statements that come by default when you create a new key. could it be that the problem?

Alexis
answered 9 months ago
  • Gary Mclean EXPERT
    9 months ago

    I think I see the issue now. Silly me. You assuming a role.

  • Gary Mclean EXPERT
    9 months ago

    Created new answer.

0

Try updating the resource policy’s in account 111111111 to use this principle arn:aws:sts::222222222:assumed-role/my-super-role/I-xxxxxxxxxxx

On KMS and Secret policy

Instead of the iam principal

profile picture
EXPERT
Gary Mclean
answered 9 months ago
  • Alexis
    9 months ago

    But wouldn't be a problem if another instance assumes the role? Unless I use arn:aws:sts::222222222:assumed-role/my-super-role/i-*

0

I don’t see a resource policy for the KMS key in account 1111111111 to allow the role from account 2222222222 to decrypt. Step 2 from your link.

Could this be the reason?

profile picture
EXPERT
Gary Mclean
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content