Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS secret manager access deny issue

Tags:

amazon-web-services

aws-secrets-manager

I have a secret key (USRFTP) stored in ACCOUNT A, I want to access this key from EC2 box with role ASHISHROLE in ACCOUNT B. I am running python code to get secret key as given below, Using resource policy in secret key as given below, KMS policy is as given below, But still getting this issue

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::ACCOUNTB:assumed-role/ASHISHROLE /i-*********is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP-KJHJH

    import boto3
    import base64
    from botocore.exceptions import ClientError
    def get_secret():
        secret_name = "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        region_name = "us-east-2"
        # Create a Secrets Manager client
        session = boto3.session.Session()
        client = session.client(
            service_name='secretsmanager',
            region_name=region_name
        )
        print("here")

        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
        if 'SecretString' in get_secret_value_response:
            return  get_secret_value_response['SecretString']
        else:
            return  base64.b64decode(get_secret_value_response['SecretBinary'])
    
    print(get_secret())

SECRET KEY RESOURCE POLICY
  

 {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::ACCOUNTB:role/ASHISHROLE"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

KMS POLICY

    {
        "Id": "key-consolepolicy-3",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow access for Key Administrators",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:role/OKin"
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true"
                    }
                }
            }
        ]
    }
like image 389
Jaishree Mishra Avatar asked Sep 03 '20 17:09

Jaishree Mishra

People also ask

How do I give access to secret Manager?

Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . In the secret details page for your secret, in the Resource permissions section, choose Edit permissions. In the code field, do one of the following, and then choose Save: To attach or modify a resource policy, enter the policy.

Is AWS secrets manager down?

AWS Secrets Manager Status is Operational.

Can Secret managers have multiple versions?

Two versions of a secret can't have the same staging label. If a version doesn't have a label, Secrets Manager considers it deprecated. Secrets Manager removes deprecated secret versions when there are more than 100.

How do I grant Lambda access to secrets manager?

In order to grant a Lambda function access to Secrets Manager, we have to attach an IAM policy to the function's execution role. The policy should grant permissions for all the Actions the function needs to perform on the secrets.

How can I restrict access to secrets manager from other AWS services?

Make sure that requests to access the secret from other AWS services also come from the VPC, otherwise this policy will deny them access. The following policy allows a user to perform Secrets Manager operations only when the request comes through the VPC endpoint vpce-1234a5678b9012c.

What is the IAM policy for AWS secrets manager?

The following IAM policy allows read access to all resources that you create in AWS Secrets Manager. This policy applies to resources that you have created already and all resources that you create in the future. © 2021, Amazon Web Services, Inc. or its affiliates.

What is AWS/secretsmanager?

Secrets Manager uses AWS Key Management Service (AWS KMS) keys to encrypt secrets. The AWS managed key aws/secretsmanager automatically has the correct permissions.

How do I allow mediaconnect to read secrets stored in AWS?

This policy allows MediaConnect to read secrets that you have stored in AWS Secrets Manager. The settings for this policy are entirely up to you. The policy can range from most restrictive (allowing access to only specific secrets) to least restrictive (allowing access to any secret that you create using this AWS account).

1 Answers

The most difficult concept with cross-account permissions is that it requires granting permission from both directions.

In your situation, you have:

  • Secrets Manager in Account-A
  • EC2 instance in Account-B
  • An IAM Role (Role-B) in Account-B

This requires permissions from A to B:

  • The Secret in Account-A needs a "Secret Key Resource Policy" that permits access from Role-B (You have already done this)

And it also requires permissions from B to A:

  • Role-B must be given permission to access the Secret in Account-A

This might seem strange, but I like to think of it like this:

  • By default, an IAM User / IAM Role has no permission
  • To use the Secrets Manager (even in the same account), the IAM Role must be given permission such as secretsmanager:GetSecretValue -- otherwise it isn't permitted to do anything
  • By default, an AWS Account cannot be accessed from another AWS Account (eg I cannot access your account)
  • If an AWS Account is willing to have another account access it, then it must grant access. This can be done at the resource-level in services such as S3, SNS, SQS, KMS and Secrets Manager because they have the ability to create policies on resources. Services without this capability cannot grant cross-account access and must be used by assuming a role in the same account.

The configuration in your question appears to be missing the permissions that need to be granted to Role-B to access the Secrets Manager, such as:

{
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect": "Allow",
          "Action": "secretsmanager:GetSecretValue",
          "Resource": "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        }
      ]
}
like image 151
John Rotenstein Avatar answered Nov 10 '22 23:11

John Rotenstein
Sign in to Comment

Related questions

AWS Lambda: async C# handler
With AWS SageMaker, is it possible to deploy a pre-trained model using the sagemaker SDK?
Lambda authorizer response using async/await in Node.js
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
How to run Tabler in production
What does 'Box-Usage' mean in AWS? [closed]
AWS Lambda vs EC2: Which one to choose
How to use an S3 uri?
Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster
Enable object logging on s3 bucket via cloudformation
Search through values of all AWS Lambda function's environment variables in AWS account
Capistorano deploy SSHKit::Runner::ExecuteError : rake exit status: 1
aws eks create cluster error - us-east-1e does not currently have sufficient capacity to support the cluster [closed]
Need to make an identical copy of AWS IAM role (including policies and trust relationship it has)
Encrypted bucket notifications from S3 to SQS
Create multiple rules in AWS security Group
CloudWatch resource access policy error while creating Amazon Elasticsearch Service via Cloud Formation
Impact of migrating to Signature Version 4 in AWS SES where we use AWS SES SMTP credentials in sending email in PHP application?
AWS CLI for S3 Select

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!