Questions tagged with AWS Secrets Manager

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following. Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets DMSRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] } Resource Policy on Secret { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] } Any thoughts on what was missing in permissions that is restricting the access to secretlg...

Our Unix/Linux team uses an Open Source password vault to manage our root and other critical passwords. We're interested in an AWS-based solution. Requirements in no particular order: * Accessible by our team only -- another team has the same general CommonSysAdmin role we do, but we don't want to expose our root password to them. * Quickly available from the web given proper credentials and coming from a company laptop. * No need for a password to get the password. Assume we are already fully authenticated opening the Secrets Manager. * Transparently encrypt the password using a private key already on the company laptop. Suggestions for additional requirements welcome!lg...

Hello. I'm trying to find a good way to cache secrets from Secrets Manager in PHP to avoid calling the SM constantly. Can anyone suggest a good and easy cache for PHP 8 in Elastic Beanstalk. Thank you.lg...

we have crated ElastiCache ( redis cluster ) and we would like to integrate ElastiCache ( redis cluster ) through secrets manager in our code (.net ), can any one help on this. we have integrated RDS in our code through secrets manager and we are trying to achieve the same using ElastiCache ( redis cluster ) , please advise if its possible.lg...

I've been using aws cdk with github to set up my cicd pipeline for a while. This is the main tutorial I followed https://docs.aws.amazon.com/cdk/v2/guide/cdk_pipeline.html#cdk_pipeline_define. Along with this video https://www.youtube.com/watch?v=EVDw0sdxaec&t=433s which shows how to set up a github personal access token and save it to secrets manager. Whenever the github personal access token would expire, I would just create a new one and update the secret in aws secrets manager. However today. Even after reseting the access token the codepipeline does not work. It fails at soucing the github repo and give the following error and explanation. ``` Insufficient permissions Could not access the GitHub repository: "REDACTED". The access token might be invalid or has been revoked. Edit the pipeline to reconnect with GitHub. ```lg...

I just read the entire User Guide and unless I am missing something I found nothing that spells out exactly what is used to store secrets (S3, database, etc?) and what security controls/level of security is in place (other than the secrets being envelope encrypted by AWS KMS). I understand this is quite basic, but I can't find the information anywhere. I also watched Secrets Manager presentations from AWS on YouTube and none of them spelled out how things work behind the scenes.lg...

When creating a DB cluster (ie: Aurora Mysql) with autorotated secrets manager credentials, and attaching connection data using `AWS::SecretsManager::SecretTargetAttachment`, it is missing the replicas read-only endpoint. It would be nice to include it under some `readersHost` key. Is it possible? Where should I ask for it?lg...

In the [secrets manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html) it states: > If any rotation step fails, Secrets Manager retries the entire rotation process multiple times. I've also seen conflicting reports that it will retry the current step of rotation that it was on. Is it possible to more clearly document how Secrets Manager retries rotation failures, with specific details? When writing a custom rotation lambda to manage resources that don't fall into one of the generic templates AWS provides, it is necessary to understand how lambda invocation failures are handled by the Secrets Manager service. Without this information, it is impossible to write robust rotation logic that can handle transitive failures of the rotation lambda.lg...

How can I access secrets that are on account B. My buildspec on account A looks this way? When running codebuild project I have an error - Secrets Manager can't find the specified secret. lg...

Hi. Trying to configure an ETL job from S3 to RDS Aurora. I want to make use of secrets manager to create the connection instead of hard-coding userid/pw. The connection itself, when tested via Connections -> Test Connection is successful. But when I try to use that same connection and execute my ETL job I get an error on the console: ``` An error occurred while calling o73.getCatalogSink. None.get ``` Digging deeper into the CloudWatch logs I see another error which points to secrets manager: ``` 22/08/16 20:49:14 INFO GlueContext: Glue secret manager integration: secretId is not provided. ``` Is this a bug, or am I doing something wrong? Thank you,lg...

Hi, in this api page https://portal.aws.amazon.com/billing/rest/v1.0/account there is some information like {"registrationDate":XXXXXXXX,"customerId":"XXXXX","accountStatus":"Active","accountRole":"Payer","accountId":"XXXXX","userId":"","userName":"","fullName":"XXX","awsAccessKey":"","awsSecretKey":"","awsSecurityToken":"","iamuser":true} I need value params awsAccessKey":"","awsSecretKey":"","awsSecurityToken but it's empty how can I get it in this Apilg...

Does the 'SecretCache' functionality still exist with v2 of the Java SDK? I found this reference, but this appears to be for v1 (https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-java.html). I'm unable to find any information on it w/ v2?lg...