By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Possible bug with IAM permissions and the secretsmanager:BatchGetSecretValue permission?

0

From testing it looks that calling the API for BatchGetSecretValue from an EC2 instance with an IAM profile - that is assigned a role with a set of policies, where one of the policies has the statement to allow secretsmanager:BatchGetSecretValue - will fail with an "AccessDeniedException" error if the statement has any resource limit other than "*", even if the resource limit is "arn:aws:secretsmanager:*:*:secret:*"

Even more confusing, if I give the permission secretsmanager:BatchGetSecretValue but not the permission secretsmanager:GetSecretValue and then issue the API call BatchGetSecretValue - that succeeds but all of the requested secrets return as errors that have the message "User: arn:aws:sts::MYACCOUNTID:assumed-role/my-server/i-instanceid is not authorized to perform: secretsmanager:GetSecretValue on resource: secret-name because no identity-based policy allows the secretsmanager:GetSecretValue action"

I believe this is a bug in the Amazon Secrets Manager service.

Topics
Security, Identity, & Compliance
Tags
AWS Secrets ManagerIAM Policies
Language
English
guss77
asked 2 months ago128 views
3 Answers
1
Accepted Answer

Hello.

From testing it looks that calling the API for BatchGetSecretValue from an EC2 instance with an IAM profile - that is assigned a role with a set of policies, where one of the policies has the statement to allow secretsmanager:BatchGetSecretValue - will fail with an "AccessDeniedException" error if the statement has any resource limit other than "", even if the resource limit is "arn:aws:secretsmanager:::secret:"

The "Resource types" column in the document below is blank, so if you do not specify an asterisk, an error will occur.
You cannot specify an ARN in the resource section of an IAM policy, even if you are targeting all secrets, such as "arn:aws:secretsmanager:::secret:*".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html
a

Even more confusing, if I give the permission secretsmanager:BatchGetSecretValue but not the permission secretsmanager:GetSecretValue and then issue the API call BatchGetSecretValue - that succeeds but all of the requested secrets return as errors that have the message "User: arn:aws:sts::MYACCOUNTID:assumed-role/my-server/i-instanceid is not authorized to perform: secretsmanager:GetSecretValue on resource: secret-name because no identity-based policy allows the secretsmanager:GetSecretValue action"

As stated in the following document, "GetSecretValue" is required in the IAM policy required to execute the "BatchGetSecretValue" API.
So, the behavior you observed is not a bug but normal behavior of AWS.
https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html

Required permissions: secretsmanager:BatchGetSecretValue, and you must have secretsmanager:GetSecretValue for each secret. If you use filters, you must also have secretsmanager:ListSecrets. If the secrets are encrypted using customer-managed keys instead of the AWS managed key aws/secretsmanager, then you also need kms:Decrypt permissions for the keys. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

profile picture
EXPERT
Riku_Kobayashi
answered 2 months ago
  • guss77
    2 months ago

    So there is no way to limit what secrets BatchGetSecretValue can access for a certain user? If I want to have a user able to use BatchGetSecretValue then they get access to everything?

  • Riku_Kobayashi EXPERT
    2 months ago

    The settings in the following document may be helpful. The following settings allow access only to secrets that are allowed by "GetSecretValue". https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch

    You can grant access to retrieve a group of secrets in a batch API call by attaching the following policy to an identity. The policy restricts the caller so that they can only retrieve the secrets specified by SecretARN1, SecretARN2, and SecretARN3, even if the batch call includes other secrets. If the caller also requests other secrets in the batch API call, Secrets Manager won't return them. For more information, see BatchGetSecretValue..

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:BatchGetSecretValue",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "SecretARN1",
        "SecretARN2",
        "SecretARN3"
      ]
    }
  ]
}
  • guss77
    2 months ago

    @Riku_Kobayashi - that solved the problem. Thank you for your support!

0

BatchGetSecretValue is List operation. According to documentation, you will need the secretsmanager:GetSecretValue for each of the secrets to work.

Required permissions: secretsmanager:BatchGetSecretValue, and you must have secretsmanager:GetSecretValue for each secret. If you use filters, you must also have secretsmanager:ListSecrets.

Documentation: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html

SHAJAM
answered 2 months ago
-1

Based on the behavior you've described, it does appear that there might be an issue with how the Secrets Manager service is handling permissions for the BatchGetSecretValue API action. However, we should be cautious about labeling it as a definitive bug without further investigation.

The behavior you're experiencing with BatchGetSecretValue failing when there's any resource limit other than "" is unexpected. Typically, specifying a resource ARN like "arn:aws:secretsmanager:::secret:" should work for allowing access to all secrets.

Regarding the second part of your observation, where BatchGetSecretValue succeeds but individual secrets fail due to lack of GetSecretValue permission, this actually aligns with how the API is designed to work. The BatchGetSecretValue operation is essentially a wrapper that makes multiple GetSecretValue calls internally. Therefore, you need both BatchGetSecretValue and GetSecretValue permissions for the operation to fully succeed.

To resolve this issue, you should:

  1. Ensure that your IAM policy includes both secretsmanager:BatchGetSecretValue and secretsmanager:GetSecretValue permissions.
  2. Try using a wildcard ("*") for the resource in your policy statement if you need access to all secrets.
  3. If you need to limit access to specific secrets, you may need to list out the ARNs of those secrets individually in the Resource section of your policy.

If the issue persists after making these changes, it would be advisable to contact AWS Support for further investigation, as there might indeed be an underlying issue with how the service is interpreting the permissions.
Sources
Troubleshoot Secrets Manager code 400 | AWS re:Post
Troubleshoot access denied error messages - AWS Identity and Access Management

profile picture
re:Post Agent
answered 2 months ago
  • guss77
    2 months ago

    Yea, that's AI slop: suggests as a solution to do the thing I specifically said does not work.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content