GetSecretValue operation is not authorized error with AWS Secrets Manager

Question

I am looking to use AWS secret manager to store my RDS password. I have created my database entry in secret manager without any Rotation option, for now I just want to save a password and retrieve it from my local so I can test applications with it. I am trying to retrieve the password using the following code

import boto3
import base64
from botocore.exceptions import ClientError

session = boto3.session.Session(aws_access_key_id,aws_secret_access_key)
client = session.client('secretsmanager', region_name='Region')
get_secret_value_response = client.get_secret_value(SecretId='DBName')

And that is giving the following error

 An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:iam::12345678910:user/user is not authorized to perform: secretsmanager:GetSecretValue on resource: DBName

I have also tried to add an IAM policy thinking that might fix it but am unable to do so, I keep getting a "This Policy contains a Syntax error" message

{
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret",
        "Effect": "Allow"
        }
    ]
}

I am trying to understand whats going wrong here. Appreciate any help.

Answer 1

The policy needs to be created in IAM and attached to the user or role instead.

1. Open the IAM Dashboard by searching for IAM on the AWS Search Bar.

2. Click on "Users" or "Roles" on the left side.

3. Search for the user or role and open it.

4. Click "Add Permissions" or "Attach Policies".

5. For users, click "Attach existing policies directly". (Roles don't need this step.)

6. If you search and can't find a suitable policy, click "Create Policy".

7. Choose "Secrets Manager" as service and "GetSecretValue" as Action (You can search for these on each step.)

   

8. Click "Add ARN" under Resources and enter the region code as well as the secret ID with the 6-char mask. The preview ARN should reflect your complete ARN: arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????

9. Click "Add" then "Next: Tags" then "Next: Review".

10. Enter a name within the constraints, and click "Create policy".

11. Go back to the Attach Policy page and click the Refresh button (just above the table, on the right side).

12. Search for your policy, click the checkbox and click "Attach policy".

13. Test your application again.

Answer 2

Secret manager resource name should have 6 question marks suffix, to match 6 random characters assigned by Secrets Manager.

If we give DatabaseSecret as resource name, it will throw not authorized.

If we give DatabaseSecret-* , it will match with other secrets DatabaseSecret-<anything-here>a1b2c3

So, we must give DatabaseSecret-?????? and policy will be something like:

{
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????",
        "Effect": "Allow"
        }
    ]
}

More details here.