1 Answer
- Newest
- Most votes
- Most comments
1
Hello.
How about setting the IAM role used by IAM-identity-center in the same account as SecretsManager as an exception, as shown below?
{
"Version" : "2012-10-17",
"Id" : "pl-sm_ev_vpce_ecs_sr",
"Statement" : [ {
"Sid" : "RestrictGetSecretValueoperation",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"StringNotEquals" : {
"aws:sourceVpce" : "vpce-myvpce",
"aws:PrincipalArn" : [
"arn:aws:iam::your-account-id:role/aws-reserved/sso.amazonaws.com/your-iam-identity-center-region/AWSReservedSSO_Role"
]
}
}
} ]
}
Relevant content
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 5 months ago
In your answer, I further had to replace
/AWSReservedSSO_Role
with the 'Federated user' id copied from the account details in the top-right corner of the console, e.g./AWSReservedSSO_PermissionSetName_somecode