Reputation: 6862
AWS Secrets Manger - Always Error even when the policy is correct
I have the following resource policy for my AWS Secrets Manager
{
"Version" : "2012-10-17",
"Statement" : [ {
"Sid" : "policyForSomething",
"Effect" : "Deny",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": [ "arn:aws:sts::**********:assumed-role/####/USERG",
"arn:aws:sts::**********:assumed-role/####/USER1",
"arn:aws:sts::**********:assumed-role/####/USER2",
"arn:aws:sts::**********:assumed-role/####/USER3",
"arn:aws:sts::**********:assumed-role/####/USER4" ]
}
},
"Action" : "secretsmanager:*",
"Resource" : "arn:aws:secretsmanager:us-west-2:*******:secret:/*"
}]
}
When I try to check using New Policy wizard, I don't see any error. But when I put it in the Resource Policy area for Secrets Manager, it's always Complaining "This Resource policy contains a syntax error".
Other than the fact that "AWS UI and error messages aren't always helpful" - could anyone help me understanding why this is an issue?
Upvotes: 4
Views: 4183
Answers (1)
Reputation: 2193
You're required to have one of Principal and NotPrincipal in your resource-based policy. Try using Principal with Allow, or NotPrincipal with Deny.
Also, since you are using a resource-based policy, the Resource automatically and implicitly becomes the secret with your policy. (So you can safely use '*' there)
PrincipalwithAllow:{ "Version": "2012-10-17", "Statement": [{ "Sid": "policyForSomething", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:sts::**********:assumed-role/####/USERG", "arn:aws:sts::**********:assumed-role/####/USER1", "arn:aws:sts::**********:assumed-role/####/USER2", "arn:aws:sts::**********:assumed-role/####/USER3", "arn:aws:sts::**********:assumed-role/####/USER4" ] }, "Action": "secretsmanager:*", "Resource": "*" }] }NotPrincipalwithDeny:{ "Version": "2012-10-17", "Statement": [{ "Sid": "policyForSomething", "Effect": "Deny", "NotPrincipal": { "AWS": [ "arn:aws:sts::**********:assumed-role/####/USERG", "arn:aws:sts::**********:assumed-role/####/USER1", "arn:aws:sts::**********:assumed-role/####/USER2", "arn:aws:sts::**********:assumed-role/####/USER3", "arn:aws:sts::**********:assumed-role/####/USER4" ] }, "Action": "secretsmanager:*", "Resource": "*" }] }
Reference:
Upvotes: 3
Related Questions
- Unable to retrieve secret from secretsmanager on aws-ec2 using an IAM role
- AWS (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret
- GetSecretValue operation is not authorized error with AWS Secrets Manager
- Condition in AWS resource policy not allowing lambda to access Secrets Manager Secret
- AWS secret manager access deny issue
- secretsmanager:ResourceTag/environment doesn't work with *(star)
- AWS secretsmanager error, unable to list the secrets with particular prefix
- AWS Secrets Manager Exception AccessDenied
- Permission error when accessing AWS secrets manager from an EC2 instance
- AWS Secret Manager - 403 response on GetSecret