RDS Proxy IAM role unable to retrieve credentials from secret

0

I am trying to implement a proxy to our Aurora instance, but having difficulty getting the IAM access to work properly. We have a microservice in an ECS container that is attempting to access the database. The steps I've followed so far:

  • Created a secret containing the DB credentials
  • Created the proxy with the following config options:
    • Engine compatibility: MySQL
    • Require TLS - enabled
    • Idle timeout: 20 minutes
    • Secret - Selected DB credential secret
    • IAM Role - Chose to create new role
    • IAM Authentication - Required
  • Modified the policy of the proxy IAM role as per the details on this page.
  • Enabled enhanced logging

When issuing GET requests to the microservice, I see the following in the CloudWatch logs:

Credentials couldn't be retrieved. The IAM role "arn:our-proxy-role" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:our-db-credential-secret"

Another interesting wrinkle to all of this: I pulled up the policy simulator, selecting the RDS proxy role and all of the actions under the Secrets Manager service, and all actions show up as being allowed.

I would sincerely appreciate any kind of guidance to indicate what I'm missing here.

1 Answer
0

Hi,

Thanks for contacting us! I understand that you're facing an authorization issue while trying to access a Secrets Manager secret.

I understand that you have granted full permission to Secrets Manager APIs. However, I wanted to ask if your secret is encrypted with a KMS key by any chance. If so, could you please check if you have granted the relevant KMS permissions as outlined in [1]?

For example,

"To decrypt an encrypted secret value, Secrets Manager calls the AWS KMS Decrypt operation to decrypt the encrypted data key in the secret. Then, it uses the plaintext data key to decrypt the encrypted secret value." [1]

Secrets Manager calls the Decrypt operation in response to the GetSecretValue operation. Secrets Manager decrypts the secret value before returning it to the caller.

Further details on permissions required are outlined in [1], under "Permissions for the KMS key" section:

"When Secrets Manager uses a KMS key in cryptographic operations, it acts on behalf of the user who is creating or changing the secret value in the secret.

To use the KMS key for a secret on your behalf, the user must have the following permissions. You can specify these required permissions in an IAM policy or key policy.

kms:GenerateDataKey

kms:Decrypt"

Please let us know if this resolves your issue. If you need assistance with further troubleshooting, please open a support case and we'll be glad to assist!

AWS
SUPPORT ENGINEER
answered 2 years ago
  • I am having the same exact issue as OP. My IAM role was automatically generated by using the "Create New" option when modifying my database proxy. So it should be setup correctly on its own right? When I look at the policy it generated, it appears to be correct and is giving permission to the correct secret and KMS key. Only difference is my policy only grants kms:Decrypt and does not grant kms:GenerateDataKey. Do I need to grant kms:GenerateDataKey if the proxy only needs to read the secret? And if so, then why does the "Create New" option exclude this permission when generating the role's policy?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions