Reputation: 11
AWS - Secrets Manager List the Secrets that the User has read access to
I'm trying to create a policy such that the user can only list a few secrets. I don't want the user to see any secrets that they don't have access to. How can I achieve this?
So far, by a lot of trial and error, I believe there is no way to restrict the secrets that a user can view (through list secrets).
Apologies if this is a common question but I've tried searching a lot and couldn't find anything concrete.
For example, the following policy will give the use GET & Describe access to all secrets starting with 'key'. The Sid: "SecretsManagerListSecretUserHasAccessTo" part of the policy will allow the user to list all secrets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecretsManagerAccess1",
"Effect": "Allow",
"Action": [
"secretsmanager:Get*",
"secretsmanager:Describe*"
],
"Resource": [
"arn:aws:secretsmanager:[region]:[acct-id]:secret:key*"
]
},
{
"Sid": "SecretsManagerListSecretUserHasAccessTo",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
If I try adding some string matching (see example below), then the user is unable to see any secrets (on the console). Error message: "Failed to fetch a list of secrets".
Ideally, the below policy should help the user only list keys that start with k. (OR any other condition also works).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllResourcesSecretsManagerFullAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:Get*",
"secretsmanager:Describe*"
],
"Resource": [
"arn:aws:secretsmanager:[region]:[acct-id]:secret:key*"
]
},
{
"Sid": "AllResourcesSecretsManagerNoTags",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": "arn:aws:secretsmanager:[region]:[acct-id]:secret:k*"
}
]
}
Upvotes: 1
Views: 2085
Answers (1)
Reputation: 17042
This is the policy we use to allow specific accounts access to a set of secrets. In most cases you need to wildcard all List and Get permissions for things to work in terraform as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:List*",
"secretsmanager:Get*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:secretsmanager:${aws_region}:${aws_account_id_dev}:secret:dev/var/MY_SECRET",
"arn:aws:secretsmanager:${aws_region}:${aws_account_id_dev}:secret:dev/var/MY_WILDCARD_SECRETS_*"
]
}
]
}
The above will give the user access to the secret dev/var/MY_SECRET and to all secrets starting with dev/var/MY_WILDCARD_SECRETS_ (i.e. dev/var/MY_WILDCARD_SECRETS_1, dev/var/MY_WILDCARD_SECRETS_WHATEVER, etc)
You could, of course, fine-tune this to be even more restrictive if you wish. The docs have some good examples to get you going:
Upvotes: 0
Related Questions
- getting "The bucket does not allow ACLs" Error
- AWS Secrets manager resource policy access for user
- Restrict access to ressources from AWS Secrets Manager to a group
- AWS Secret Manager - Grants Everyone access when only a specific list of principals were set
- AWS IoT Policyin Android doesnt work with custom topic
- Why the method describeSubnets in AmazonEC2ClientWrapper results in the AuthFailure?
- how do you manager your assumed role IAM policies to access secrets in AWS secret manager?