By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS CodeBuild AccessDeniedException for secretsmanager Despite Correct IAM Policies

0

I'm setting up a CI/CD pipeline using AWS CodePipeline and AWS CodeBuild to deploy a Docker application running on an Elastic Beanstalk instance. The Docker credentials are stored in AWS Secrets Manager, and are initialized as environment variables within the AWS CodeBuild Resource. Despite having the necessary IAM policies in place, I'm encountering an AccessDeniedException when CodeBuild tries to access the secrets.

Permission inside CodeBuild IAM Role:

{ 
"Version": "2012-10-17", 
"Statement": [ 
              { "Effect": "Allow", 
                "Action": [ "secretsmanager:GetSecretValue" ], 
                "Resource": [ "arn:aws:secretsmanager:region:userid:secret:secretname-??????”] 
              }
    ]
}

Resource Permission inside the specific secret in Secrets Manager:

 {
   "Version" : "2012-10-17",
   "Statement" : [ {
     "Effect" : "Allow",
     "Principal" : {
       "AWS" : "arn:aws:iam::userid:role/service-role/servicename”
     },
     "Action" : "secretsmanager:GetSecretValue",
     "Resource" : "arn:aws:secretsmanager:region:userid:secret:secretname-??????”
   } ]
}

I keep getting the same error which is:

Phase context status code: Secrets Manager Error Message: AccessDeniedException: User: arn:aws:sts::userid:assumed-role/servicerolename/AWSCodeBuild-codebuildid is not authorized to perform: secretsmanager:GetSecretValue on resource: id_value because no identity-based policy allows the secretsmanager:GetSecretValue action

Thanks!

I've already tried both attaching a costumer managed policy, and creating an inline costumer policy, and nothing worked.

I've also checked on AWS' Policy Simulator and got an "allowed" output when accessed my secret values from my IAM service role.

Topics
Developer ToolsComputeSecurity, Identity, & Compliance
Tags
AWS CodeBuildAWS CodePipelineAWS Elastic BeanstalkAWS IAM Identity CenterAWS Secrets Manager
Language
English
asked a year ago486 views
1 Answer
1
Accepted Answer

Hello.

Is it possible that you are setting an IAM policy for the wrong IAM role?
Also, if the IAM policy allows "secretsmanager:GetSecretValue", the Secrets Manager resource-based policy is not required.

Please also check that no other permission boundaries have been set for the target IAM role.
If a permission boundary is set, please delete the setting.
Also, check that there is no IAM policy set to deny "secretsmanager:GetSecretValue".
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • strgt
    a year ago

    EDIT: I managed to solve the issue. Problem was initialization of unnecessary env vars inside CodeBuild, which caused an overwrite/collision while retrieving the secrets.

    1. It is the correct IAM role.
    2. I've deleted the resource-based policy, no change, unfortunately.
    3. No boundaries are set.
    4. How do I check if there are IAM policies that are set to deny "secretsmanager:GetSecretValue" (I haven't defined any policies manually, except the AccessSecrets one within the CodeBuild Role), having said that, there are policies that were automatically set when I deployed the Elastic Beanstalk EC2 instance.

    Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content