aws-elasticbeanstalk-ec2-role aws-elasticbeanstalk-ec2-role is not authorized to perform: secretsmanager:GetSecretValue although the default role is updated to include policy

0

There is an EC2 instance attempting to get a secret from SecretsManager but errors with the following:

Error getting database credentials from Secrets Manager AccessDeniedException: User: arn:aws:sts::{AccountNumber}:assumed-role/aws-elasticbeanstalk-ec2-role/i-{instanceID} is not authorized to perform: secretsmanager:GetSecretValue on resource: rds/staging/secretName because no identity-based policy allows the secretsmanager:GetSecretValue action

I have tried adding the following policy to the general aws-elasticbeanstalk-ec2-role to allow for access but it is still not able to get the secrets:

GetSecretsPolicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/production/secretName"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "secretsmanager:GetRandomPassword",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName"
        }
    ]
}

I continue to get the error and am wondering if there is something I can tweak to make it able to have proper access to the secret values

3 Answers
1

Hello,

Based on what you have described, it looks like the IAM policy attached to the role does not include the complete ARN of the secret in the "Resource" element of the policy. The ARN format you have used is this "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName" - which includes the secret name at the end. However, the format of the secret's ARN is arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId} which will not just contain the name of the secret, but it also appends a dash followed by a string of characters that are unique to that secret.

The following CLI command will provide the complete ARN of the secret considering that rds/staging/secretName is the name of your secret:

aws secretsmanager describe-secret --secret-id rds/staging/secretName

You would also find the complete ARN of the secret in the Secrets Manager console -> by selecting the name of the secret -> under "Secret details" section.

Our documentation below covers details as to why the secret ARN contains the dash and a string of characters following the name of the secret.

[] Permissions reference for Secrets Manager - Secrets Manager resources - https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-resources

"Secrets Manager constructs the last part of the secret ARN by appending a dash and six random alphanumeric characters at the end of the secret name. If you delete a secret and then recreate another with the same name, this formatting helps ensure that individuals with permissions to the original secret don't automatically get access to the new secret because Secrets Manager generates six new random characters."

Please ensure to include the complete ARN of the secret in the "Resource" element of the IAM policy and that should grant your role access to APIs under statements VisualEditor2 and VisualEditor0 for the two secrets you have tried to grant access to.

SUPPORT ENGINEER
answered a year ago
0

You can try adding the "SecretsManagerReadWrite" permission policy to the role in IAM. Line 25 of this policy sets "Resource" to *.

answered 9 months ago
0

Hi AWS-User-1866056, If any of the answers provided helped you, please let the community know by clicking the "Accept" button. This allows other community members to also benefit from it. Thank you for your participation.

profile picture
SUPPORT ENGINEER
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions