RDS Proxy IAM role unable to retrieve credentials from secret
I am trying to implement a proxy to our Aurora instance, but having difficulty getting the IAM access to work properly. We have a microservice in an ECS container that is attempting to access the database. The steps I've followed so far:
- Created a secret containing the DB credentials
- Created the proxy with the following config options:
- Engine compatibility: MySQL
- Require TLS - enabled
- Idle timeout: 20 minutes
- Secret - Selected DB credential secret
- IAM Role - Chose to create new role
- IAM Authentication - Required
- Modified the policy of the proxy IAM role as per the details on this page.
- Enabled enhanced logging
When issuing GET requests to the microservice, I see the following in the CloudWatch logs:
Credentials couldn't be retrieved. The IAM role "arn:our-proxy-role" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:our-db-credential-secret"
Another interesting wrinkle to all of this: I pulled up the policy simulator, selecting the RDS proxy role and all of the actions under the Secrets Manager service, and all actions show up as being allowed.
I would sincerely appreciate any kind of guidance to indicate what I'm missing here.
Thanks for contacting us! I understand that you're facing an authorization issue while trying to access a Secrets Manager secret.
I understand that you have granted full permission to Secrets Manager APIs. However, I wanted to ask if your secret is encrypted with a KMS key by any chance. If so, could you please check if you have granted the relevant KMS permissions as outlined in 1?
"To decrypt an encrypted secret value, Secrets Manager calls the AWS KMS Decrypt operation to decrypt the encrypted data key in the secret. Then, it uses the plaintext data key to decrypt the encrypted secret value." 1
Secrets Manager calls the Decrypt operation in response to the GetSecretValue operation. Secrets Manager decrypts the secret value before returning it to the caller.
Further details on permissions required are outlined in 1, under "Permissions for the KMS key" section:
"When Secrets Manager uses a KMS key in cryptographic operations, it acts on behalf of the user who is creating or changing the secret value in the secret.
To use the KMS key for a secret on your behalf, the user must have the following permissions. You can specify these required permissions in an IAM policy or key policy.
Please let us know if this resolves your issue. If you need assistance with further troubleshooting, please open a support case and we'll be glad to assist!
Securing Kibana and ElasticSearch without X-Pack-Security pluginAccepted Answerasked 5 years ago
Generate OIDC token from EC2 assigned IAM Role temporary credentialsasked 4 months ago
RDS Proxy Metricsasked 4 months ago
How do you setup cross-account IAM authentication in AWS MSK?Accepted Answerasked 3 months ago
Access Denied error when using Lambda IAM role to access Amazon RDS for MySQLAccepted Answerasked 2 years ago
Unable to delete IAM Roleasked 2 months ago
RDS Proxy IAM role unable to retrieve credentials from secretasked 19 days ago
IAM role for AWS workspaceasked 2 years ago
SSM Automation - Download file from S3 - Assume Roleasked a month ago
Using RDS Proxy doubles or triples average response timesasked 6 months ago