I have a secret, my-secret-1
in Account A
. I want to access this secret from Account B
using resource-based policy.
I have followed below document for instructions,
https://aws.amazon.com/blogs/database/design-patterns-to-access-cross-account-secrets-stored-in-aws-secrets-manager/
Below is my resource-based policy attached to the secret in AccountA
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "AllowAccountAAccess",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::accountANumber:root"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
}, {
"Sid" : "RestrictAccess",
"Effect" : "Deny",
"Principal" : "*",
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
"ArnNotLike" : {
"aws:PrincipalArn" : [ "arn:aws:iam::accountBNumber:role/accountB-IAMRole-*" ]
}
}
} ]
}
This works fine when i access from EC2 instance in accountB using below command,
aws secretsmanager get-secret-value --secret-id "AccountASercretArn" --region "us-east-1"
But the spring java program installed in EC2 instance is failing to get the secret with below error,
com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException: User: arn:aws:sts::AccountA:assumed-role/AccountA-1XHHJOW5RFKUT/i-1221ds12238 is not authorized to perform: secretsmanager:GetSecretValue on resource: my-secret-1 because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1qqq16169-sa2-2ddd-s344ff; Proxy: null)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2783)
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2750)
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2739)
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1078)
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1047)
java code:
@Bean
public AWSSecretsManager secretsManager(final Region region) {
return AWSSecretsManagerClientBuilder.standard()
.withRegion(region.getName())
.build();
}
public GetSecretValueResult getGetSecretValueResult(final AWSSecretsManager secretsManager) {
try {
final GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest().withSecretId("my-secret-1");
return secretsManager.getSecretValue(getSecretValueRequest);
} catch (final Throwable e) {
}
}