How do I share Secrets Manager secrets between accounts?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

You must create and specify a custom AWS Key Management Service (AWS KMS) key to share secrets between accounts. You can't use the default KMS key when you share secrets between accounts. The default KMS key is created, managed, and used on your behalf by an AWS service that runs on AWS KMS. It's unique to your account and AWS Region, and you can only use it with the service that created it. For more information, see AWS KMS keys.

Configure the account that owns the secret

If you don't have a secret, then create a Secrets Manager secret. Make sure that you specify the Amazon Resource Name (ARN) in the KMS key ID parameter for the secret.

If you have an existing secret that uses an alias, then modify the secret. Make sure to specify the KMS key ARN in the KMS key ID parameter for the secret. You must use the full KMS key ARN to access a secret from another account.

Important: In the following policies, replace the Principal ARN with your destination account's ARN, the SecretARN with your source account's ARN, and the KMS key ARN with your source account's ARN. Also replace YOUR-REGION with your Region.

Add the following statement to the key policy, and then replace the example values with your values:

{  "Sid": "AllowUseOfTheKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::444455556666:user/username"
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "secretsmanager.YOUR-REGION.amazonaws.com"
    },
    "StringLike": {
      "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:YOUR-REGION:111122223333:secret:secretname??????"
    }
  }
}

Then, attach a resource-based policy to grant the AWS Identity and Access Management (IAM) role permissions to access the secret.

Example secret resource-based policy:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::444455556666:user/username"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
  }

Configure permissions in the other account that needs the secret

The IAM user must have secretsmanager:GetSecretValue permission to retrieve the secret. Also, the IAM user must have decrypt permissions when the secret is encrypted with a KMS key.

Attach the secretsmanager:GetSecretValue permissions to the IAM identity that you want to retrieve the secret.

Example policy:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetSecretValue",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:your-region:777788889999:secret:secretname-??????"
      ]
    },
    {
      "Sid": "AllowKMSDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:YOUR-REGION:777788889999:key/secretnameKMS_id"
      ]
    }
  ]
}

Then, run the following get-secret-value command to retrieve the secret as the source secret value:

aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:YOUR-REGION:777788889999:secret:secretname --version-stage AWSCURRENT --region YOUR-REGION

Related information

Access AWS Secrets Manager secrets from a different account

How to access secrets across AWS accounts by attaching resource-based policies

How do I resolve AWS KMS key access errors after I tried to retrieve an encrypted Secrets Manager secret?