- 최신
- 최다 투표
- 가장 많은 댓글
Hi,
Thanks for contacting us! I understand that you're facing an authorization issue while trying to access a Secrets Manager secret.
I understand that you have granted full permission to Secrets Manager APIs. However, I wanted to ask if your secret is encrypted with a KMS key by any chance. If so, could you please check if you have granted the relevant KMS permissions as outlined in [1]?
For example,
"To decrypt an encrypted secret value, Secrets Manager calls the AWS KMS Decrypt operation to decrypt the encrypted data key in the secret. Then, it uses the plaintext data key to decrypt the encrypted secret value." [1]
Secrets Manager calls the Decrypt operation in response to the GetSecretValue operation. Secrets Manager decrypts the secret value before returning it to the caller.
Further details on permissions required are outlined in [1], under "Permissions for the KMS key" section:
"When Secrets Manager uses a KMS key in cryptographic operations, it acts on behalf of the user who is creating or changing the secret value in the secret.
To use the KMS key for a secret on your behalf, the user must have the following permissions. You can specify these required permissions in an IAM policy or key policy.
kms:GenerateDataKey
kms:Decrypt"
Please let us know if this resolves your issue. If you need assistance with further troubleshooting, please open a support case and we'll be glad to assist!
I am having the same exact issue as OP. My IAM role was automatically generated by using the "Create New" option when modifying my database proxy. So it should be setup correctly on its own right? When I look at the policy it generated, it appears to be correct and is giving permission to the correct secret and KMS key. Only difference is my policy only grants kms:Decrypt and does not grant kms:GenerateDataKey. Do I need to grant kms:GenerateDataKey if the proxy only needs to read the secret? And if so, then why does the "Create New" option exclude this permission when generating the role's policy?