AWS Console error: "Failed to get the secret value" when pressing 'Retrieve Secret Value'

0

I get error "Failed to get the secret value" when pressing 'Retrieve Secret Value'
Retrieve Secret Value

I am not an IAM user with a role, but logged in as an IAM-identity-center user.

My group has a permission-set containing the AWS-managed policy SecretsManagerReadWrite.

The resource policy of the secret is set to deny all requests not coming from a specified VPCE (e.g. vpce-myvpce) as follows:

{
  "Version" : "2012-10-17",
  "Id" : "pl-sm_ev_vpce_ecs_sr",
  "Statement" : [ {
    "Sid" : "RestrictGetSecretValueoperation",
    "Effect" : "Deny",
    "Principal" : "*",
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*",
    "Condition" : {
      "StringNotEquals" : {
        "aws:sourceVpce" : "vpce-myvpce"
      }
    }
  } ]
}

How should I modify this policy in order to allow myself access to my secrets via the AWS Console, i.e. view and edit the key/value pairs?

asked 11 days ago40 views
1 Answer
1
Accepted Answer

Hello.

How about setting the IAM role used by IAM-identity-center in the same account as SecretsManager as an exception, as shown below?

{
  "Version" : "2012-10-17",
  "Id" : "pl-sm_ev_vpce_ecs_sr",
  "Statement" : [ {
    "Sid" : "RestrictGetSecretValueoperation",
    "Effect" : "Deny",
    "Principal" : "*",
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*",
    "Condition" : {
      "StringNotEquals" : {
        "aws:sourceVpce" : "vpce-myvpce",
        "aws:PrincipalArn" : [ 
          "arn:aws:iam::your-account-id:role/aws-reserved/sso.amazonaws.com/your-iam-identity-center-region/AWSReservedSSO_Role"
        ]
      }
    }
  } ]
}
profile picture
EXPERT
answered 11 days ago
profile picture
EXPERT
reviewed 11 days ago
  • In your answer, I further had to replace /AWSReservedSSO_Role with the 'Federated user' id copied from the account details in the top-right corner of the console, e.g. /AWSReservedSSO_PermissionSetName_somecode

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions