AWS secretsmanager error, unable to list the secrets with particular prefix

Question

I have added some secrets from an EC2 server to the AWS SM using the instance profile with the prefix mysecrets*. Now I'm trying to list the secrets that are created in the account, but I get the:

error user is not authorize to perform ListSecrets operation

The IAM policy allowed the action to secretsmanager:ListSecrets and the arn is arn:aws:secretsmanger:region:accntid:secret:mysecrets*.

The command that I run:

aws secretsmanager list-secrets --region us-east-1

Error:

An error occurred (AccessDeniedException) when calling the ListSecrets operation: User: arn:aws:sts::xxxxxx:assumed-role/ec2-xxxx-dev-s3-role/xxxxx is not authorized to perform: secretsmanager:ListSecrets

Answer 1

Short Answer:

Retrieving Secrets by prefix is not supported by AWS (as of Jan 7 2020)

Here's Why:

You probably tried to set a resource arn restriction to the policy along with the action ListSecrets. This will cause the ListSecrets to appear in the policy json but not actually grant to your user.

ListSecrets is an all or nothing deal, you can't restrict the arn like you can with GetSecretValue.

You could try creating a separate policy attachment or statement without an arn restriction. but if your intent is only retrieve secrets with a specific prefix, this will not happen, it will return all of the secrets (yea, I know, not very scalable)

See this link below for a list of actions you can and cannot associate to a context such as arn:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html