- 최신
- 최다 투표
- 가장 많은 댓글
Hello,
Based on what you have described, it looks like the IAM policy attached to the role does not include the complete ARN of the secret in the "Resource" element of the policy. The ARN format you have used is this "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName" - which includes the secret name at the end. However, the format of the secret's ARN is arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId} which will not just contain the name of the secret, but it also appends a dash followed by a string of characters that are unique to that secret.
The following CLI command will provide the complete ARN of the secret considering that rds/staging/secretName is the name of your secret:
aws secretsmanager describe-secret --secret-id rds/staging/secretName
You would also find the complete ARN of the secret in the Secrets Manager console -> by selecting the name of the secret -> under "Secret details" section.
Our documentation below covers details as to why the secret ARN contains the dash and a string of characters following the name of the secret.
[] Permissions reference for Secrets Manager - Secrets Manager resources - https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-resources
"Secrets Manager constructs the last part of the secret ARN by appending a dash and six random alphanumeric characters at the end of the secret name. If you delete a secret and then recreate another with the same name, this formatting helps ensure that individuals with permissions to the original secret don't automatically get access to the new secret because Secrets Manager generates six new random characters."
Please ensure to include the complete ARN of the secret in the "Resource" element of the IAM policy and that should grant your role access to APIs under statements VisualEditor2 and VisualEditor0 for the two secrets you have tried to grant access to.
You can try adding the "SecretsManagerReadWrite" permission policy to the role in IAM. Line 25 of this policy sets "Resource" to *.
Hi AWS-User-1866056, If any of the answers provided helped you, please let the community know by clicking the "Accept" button. This allows other community members to also benefit from it. Thank you for your participation.