How do I resolve AWS KMS key access errors after I tried to retrieve an encrypted Secrets Manager secret?

4 minute read

I tried to retrieve or access an encrypted AWS Secrets Manager secret, but I received an AWS Key Management Service (AWS KMS) key access error.

Resolution

If you can't retrieve or access a Secrets Manager secret because of AWS KMS key permission issues, then you might receive one of the following errors:

"You can't access a secret from a different AWS account if you encrypt the secret with the default KMS service key."
"Access to KMS is not allowed"
"InternalFailure"
"An unknown error occurred"
"Access to KMS is not allowed. This version of secret is not encrypted with the current KMS key."

To resolve this issue, update the AWS KMS key policy with the correct permissions to retrieve the encrypted secret. Then, reencrypt the secret with the updated AWS KMS key.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

AWS KMS managed keys

To access the secret from another account, verify that the secret isn't encrypted with an AWS KMS managed key. You can't access an AWS KMS managed key-encrypted secret from another account.

Because they're read only, you can't edit AWS managed key policies. So, you can't grant cross-account permissions for AWS managed key policies.

Cross-account access

For cross accounts, verify that the identity-based policy and resource-based policy explicitly allow the principal to access the AWS KMS key.

Example identity policy that allows the principal to access the AWS KMS key:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:Region:AccountID:key/EncryptionKey"
    }
  ]
}

Example KMS resource-based policy that allows the principal to access the AWS KMS key:

{  "Effect": "Allow",  "Principal": {
    "AWS": [
      "arn:aws:iam::AccountID:user/UserName",
      "arn:aws:iam::AccountID:role/RoleName"
    ]
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Reencrypt the secret with the updated AWS KMS key

Use the Secrets Manager console or the AWS CLI to reencrypt the secret with the updated AWS KMS key.

Secrets Manager console

Note: If you use the Secrets Manager console, then Secrets Manager creates a new version of the secret and encrypts it with the updated key. Make sure that applications that use the secret have permission to decrypt the secret with the updated key. For more information, see Secret encryption and decryption in Secrets Manager.

Open the Secrets Manager console.
For Secret name, choose your secret.
Choose Actions, and then choose Edit encryption key.
Select Create new version of secret with new encryption key, and then choose Save.

AWS CLI

Complete steps 1-3 from the source account where the secret is and step 4 from the other account:

Run the get-secret-value command to get the secret value:

aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --query SecretString --output text    {"CrossAccount":"DefaultEncryption"}

Create a file named creds.txt:

cat creds.txt    {"CrossAccount":"DefaultEncryption"}

Run the update-secret command to reencrypt the encryption key:

aws secretsmanager update-secret --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --secret-string file://creds.txt    {
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:cross-account",
    "Name": "cross-account",
    "VersionId": "f68246e8-1cfb-4c3b-952b-17c9298d3462"
    }

Note: If you use a customer managed key, you must also have kms:GenerateDataKey and kms:Decrypt permissions on the key.

Run the get-secret-value command from the other account:

aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --version-stage AWSCURRENT --profile    {"CrossAccount":"DefaultEncryption"}

Related information

How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts

How do I share AWS Secrets Manager secrets between AWS accounts?

Access AWS Secrets Manager secrets from a different account

Topics: Security, Identity, & Compliance
Tags: AWS Secrets Manager
Language: English

Relevant content

RDS Proxy IAM role unable to retrieve credentials from secret
gs-scooter
asked 4 years ago
How to resolve Amplify Error retrieving secret: i [CredentialsProviderError]: Could not load credentials from any providers ?
rePost-User-7357499
asked a year ago
Validation Exception when trying to retrieve secret value from Secrets Manager
Paul
asked a year ago
Error retrieving a secret value from secrets manager
scorpio998
asked 4 years ago
AWS EKS secret encryption
Accepted Answer
myronix88
asked 3 years ago
How do I share Secrets Manager secrets between accounts?
AWS OFFICIALUpdated 3 months ago
How do I manage secrets and access keys for Amazon ECS tasks and services?
AWS OFFICIALUpdated a year ago
How can I use Lambda functions in an Amazon VPC to retrieve Secrets Manager secrets?
AWS OFFICIALUpdated 2 years ago
How do I apply a resource-based policy on an AWS Secrets Manager secret?
AWS OFFICIALUpdated 2 years ago
How to securely manage secrets in Java Applications Using AWS Secrets Manager
EXPERT
ParasJain01
published a year ago