Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

not able to fetch the symmetric key for the given provider config

0

we are using a cli user for faching the secrets

Topics
Security, Identity, & Compliance
Tags
AWS Secrets ManagerIAM Policies
Language
English
asked 2 years ago220 views
1 Answer
0

With the little information you provided, the below steps would work. Otherwise, as Oleksii mentioned - complete the question with more details, and error details.

When using AWS Secrets Manager, the service encrypts the secret values using an AWS Key Management Service (KMS) customer master key (CMK). To fetch and decrypt the secret values, the IAM user or role must have the necessary permissions to access the KMS key used for encryption.

There are two ways to grant the required permissions:

  1. If the KMS Key has default policies: If you're using the default KMS key policies, you can grant the IAM user the required permissions by attaching an IAM policy that allows the kms:Decrypt action on the KMS key ARN.

    Here's an example IAM policy that grants the kms:Decrypt permission on the KMS key:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "<KMS_KEY_ARN>"
        }
    ]
}

    Replace <KMS_KEY_ARN> with the ARN of the KMS key used by AWS Secrets Manager to encrypt the secret values.

  2. If you're managing custom KMS key resource permissions: If you're using a custom KMS key and managing its resource permissions, you need to add a policy to the KMS key resource policy to grant the IAM user the kms:Decrypt permission.

    Here's an example policy statement that you can add to the KMS key resource policy:

    {
    "Sid": "AllowIAMUserToDecrypt",
    "Effect": "Allow",
    "Principal": {
        "AWS": "<IAM_USER_ARN>"
    },
    "Action": [
        "kms:Decrypt"
    ],
    "Resource": "*"
}

    Replace <IAM_USER_ARN> with the ARN of the IAM user that needs to access the KMS key for decryption.

By following either of these approaches, you'll grant the necessary permissions for the IAM user to access the KMS key used by AWS Secrets Manager, allowing them to fetch and decrypt the secret values successfully.

Remember to replace the placeholders (<KMS_KEY_ARN> and <IAM_USER_ARN>) with the appropriate values for your AWS environment.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content