By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Role Permissions Issue with Secrets Manager - Need Assistance

0

Hello AWS Community,

I hope this message finds you well. I am currently encountering challenges with IAM role permissions related to AWS Secrets Manager. Despite implementing a policy to limit access to specific secrets, the IAM role is still experiencing broader access.

Details:

Policy Information:

I have attached a policy similar to the one below to the IAM role: json Copy code { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name-1" ] } ] } Error Message:

An error is occurring when attempting to perform the ListSecrets operation: less An error occurred (AccessDeniedException) when calling the ListSecrets operation: User: arn:aws:sts::xxxxxx:assumed-role/ec2-xxxx-dev-s3-role/xxxxx is not authorized to perform: secretsmanager:ListSecrets

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Secrets Manager
Language
English
Atharv
asked 5 months ago223 views
1 Answer
1

The problem comes from the "Resource". If you specify a specific Resource it's because you want to perform a specific operation (or operations, indicated in the Action) over that resource. However, the ListSecrets (the same as ListBuckets in S3) lists the available secrets and, thus, it applies over all the available secrets in the account (or in that specific region in the account). Therefore, you should not indicate a specific Secret in the Resource part of the policy. Instead, you should specify that you want to access to any secret in the Resource part in the policy. For instance:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:ListSecrets",
      "Resource": "*"
    }
  ]
}

You can find more examples here: https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html

AWS
ronaldtf
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content