Reputation: 47
Restrict access to ressources from AWS Secrets Manager to a group
I have in my AWS Secrets Manager a few keys that need to be accessed from a EC2 instance using the command :
aws secretsmanager get-secret-value --secret-id Test/Dev-key
I have created a IAM user that will only be used for this purpose and created a IAM group to apply the SecretManagerPolicy that I created. I want to this user to only have access to the key having Test/ in their names. So here is the policy I've made :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:*:*:secret:Test/*"
}
]
}
My user cannot access to any keys or list them. If I replace the Resource field with the full arn of a secret I can list all of them.
I also tried to add a condition using tags but I still can list secrets without the tag.
It's either I can access all secrets or none.
Upvotes: 0
Views: 1158
Answers (1)
Reputation: 269400
It worked for me.
To reproduce your situation, I did the following:
- Created a Secret prefixed by
Test/ - Create an IAM User with this policy (and no other permissions):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:*",
"Resource": "arn:aws:secretsmanager:*:*:secret:Test/*"
}
]
}
- Ran these commands with credentials from that IAM User:
aws secretsmanager get-secret-value --secret-id Test/bob --profile stack
{
"ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:Test/bob-zWgaQW",
"Name": "Test/bob",
"VersionId": "...",
"SecretString": "{\"foo\":\"bar\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2021-08-06T21:07:20.083000+10:00"
}
aws secretsmanager list-secrets --profile stack
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:Test/bob-zWgaQW",
"Name": "Test/bob",
"LastChangedDate": "2021-08-06T21:07:20.089000+10:00",
"LastAccessedDate": "2021-08-06T10:00:00+10:00",
"Tags": [],
"SecretVersionsToStages": {
"...": [
"AWSCURRENT"
]
},
"CreatedDate": "2021-08-06T21:07:20.042000+10:00"
}
]
}
I then added a secret that was not in the Test/ prefix, and I was then unable to list-secrets as shown above. I then deleted that extra secret and was still unable to list secrets (possibly because the secret takes 7 days to be deleted).
Upvotes: 1
Related Questions
- AWS Secrets Manager - deny access to secret to all but 1 role
- Allow a secret in secret manager for all lambda functions in a particular AWS account
- How to add a Secret Manager read resource policy to my lambda resourse with SAM CLI template
- aws - secrets manager - how to secure secrets when I want to access from ec2?
- AWS secret manager access deny issue
- How to limit access of an AWS IAM Group to access a AWS Secret Manager?
- AWS Permissions to allow a specific user to Modify a specific Security Group
- AWS Secrets Manger - Always Error even when the policy is correct
- Assigning permission to single cognito user access to a secret created on AWS's Secret Manager
- How to make secrets set by non-admin user inaccessible by aws administrator?