CODEWITHSUNDEEP
amazon-web-servicesamazon-iamaws-secrets-manager
user10916892
user10916892

Reputation: 997

AWS IAM Resource Policy - Issues with NotPrincipal resource policy in secrets manager

I am logged in as LeadDeveloperRole in aws console and created a secret in secrets manager. I want this secret to be only accessible to LeadDeveloperRole and AdminRole, so i used below mentioned resource policy on this secret. While saving this policy it shows an error saying:

"This resource policy will not allow you to manage this secret in the future."

As per my understanding, Deny + NotPrincipal implies apart from LeadDeveloperRole and AdminRole, no one will have access to this. Am i missing something here ?

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":[
                "arn:aws:iam::111111111:role/LeadDeveloperRole",
                "arn:aws:iam::111111111:role/AdminRole"
            ]
         },
         "Action": [
             "secretsmanager:*"
        ],
         "Resource":"arn:aws:secretsmanager:region:111111111:secret:secretid-xxxx1i"
      },
      {
         "Effect":"Deny",
         "NotPrincipal":{
            "AWS":[
                "arn:aws:iam::111111111:role/LeadDeveloperRole",
                "arn:aws:iam::111111111:role/AdminRole"
            ]
         },
         "Action": [
             "secretsmanager:*"
        ],
         "Resource":"arn:aws:secretsmanager:region:111111111:secret:secretid-xxxx1i"
      }

   ]
}

UPDATED: updated the policy with explicit allow which is giving same error.

Upvotes: 1

Views: 1612

Answers (1)

rowanu
rowanu

Reputation: 1722

Try adding the account principal to the list of NotPrincipals, as without it a request can be blocked e.g. "arn:aws:iam::111111111:root" or just the account ID number.

From the docs:

When you use NotPrincipal with Deny, you must also specify the account ARN of the not-denied principal.

Upvotes: 0

Related Questions