GetSecretValue operation is not authorized error with AWS Secrets Manager

amazon-web-services aws-secrets-manager
13,955

Solution 1

The policy needs to be created in IAM and attached to the user or role instead.

  1. Open the IAM Dashboard by searching for IAM on the AWS Search Bar.

  2. Click on "Users" or "Roles" on the left side.

  3. Search for the user or role and open it.

  4. Click "Add Permissions" or "Attach Policies".

  5. For users, click "Attach existing policies directly". (Roles don't need this step.)

  6. If you search and can't find a suitable policy, click "Create Policy".

  7. Choose "Secrets Manager" as service and "GetSecretValue" as Action (You can search for these on each step.)

    enter image description here

  8. Click "Add ARN" under Resources and enter the region code as well as the secret ID with the 6-char mask. The preview ARN should reflect your complete ARN: arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????

  9. Click "Add" then "Next: Tags" then "Next: Review".

  10. Enter a name within the constraints, and click "Create policy".

  11. Go back to the Attach Policy page and click the Refresh button (just above the table, on the right side).

  12. Search for your policy, click the checkbox and click "Attach policy".

  13. Test your application again.

Solution 2

The issue was that the IAM user that I was using did not have he SecretsManager execution policy attached. After adding that execution policy to the user it worked fine.

Solution 3

Secret manager resource name should have 6 question marks suffix, to match 6 random characters assigned by Secrets Manager.

If we give DatabaseSecret as resource name, it will throw not authorized.

If we give DatabaseSecret-* , it will match with other secrets DatabaseSecret-<anything-here>a1b2c3

So, we must give DatabaseSecret-?????? and policy will be something like:

{
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????",
        "Effect": "Allow"
        }
    ]
}

More details here.

Share:
13,955
Sidhu177
Author by

Sidhu177

Updated on July 19, 2022

Comments

  • Sidhu177
    Sidhu177 almost 2 years

    I am looking to use AWS secret manager to store my RDS password. I have created my database entry in secret manager without any Rotation option, for now I just want to save a password and retrieve it from my local so I can test applications with it. I am trying to retrieve the password using the following code

    import boto3
import base64
from botocore.exceptions import ClientError

session = boto3.session.Session(aws_access_key_id,aws_secret_access_key)
client = session.client('secretsmanager', region_name='Region')
get_secret_value_response = client.get_secret_value(SecretId='DBName')

    And that is giving the following error

     An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:iam::12345678910:user/user is not authorized to perform: secretsmanager:GetSecretValue on resource: DBName

    I have also tried to add an IAM policy thinking that might fix it but am unable to do so, I keep getting a "This Policy contains a Syntax error" message

    {
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret",
        "Effect": "Allow"
        }
    ]
}

    I am trying to understand whats going wrong here. Appreciate any help.

    • Balu Vyamajala
      Balu Vyamajala about 3 years
      there will be a suffix for secret name correct? i usally give arn:aws:secretsmanager:us-east-1: 12345678910:secret:DatabaseSecret-?????? as resource name having question marks in suffix
  • ADTC
    ADTC over 2 years
    It looks like the OP is attempting to add this JSON in the secret's "Resource Permissions" field. It won't work, as the policy needs to be created in IAM and attached to the user or role instead. I have outlined the full step-by-step guide in my own answer.
  • ADTC
    ADTC over 2 years
    Thanks to the short answer here, I have fixed my problem. Indeed, the policy needs to be created in IAM and attached to the user or role instead. I have outlined the full step-by-step guide in my own answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS secret manager access deny issue
How to retrieve Secret Manager data in buildspec.yaml
Using AWS Secrets Manager with Python (Lambda Console)
Parsing secrets from AWS secrets manager using AWS cli
How to retrieve a secret in terraform from aws secret manager
How to connect AWS DynamoDb directly with dart
How to keep WebSocket connection Alive - Flutter AWS?
flutter to AWS S3 using amplify <asynchronous suspension> error
How can I host my Flutter web app onto AWS Amplify
AWS Transcribe Streaming BadRequestException: "Could not decode the audio stream..."