12

I have a secret key (USRFTP) stored in ACCOUNT A, I want to access this key from EC2 box with role ASHISHROLE in ACCOUNT B. I am running python code to get secret key as given below, Using resource policy in secret key as given below, KMS policy is as given below, But still getting this issue

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::ACCOUNTB:assumed-role/ASHISHROLE /i-*********is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP-KJHJH

    import boto3
    import base64
    from botocore.exceptions import ClientError
    def get_secret():
        secret_name = "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        region_name = "us-east-2"
        # Create a Secrets Manager client
        session = boto3.session.Session()
        client = session.client(
            service_name='secretsmanager',
            region_name=region_name
        )
        print("here")

        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
        if 'SecretString' in get_secret_value_response:
            return  get_secret_value_response['SecretString']
        else:
            return  base64.b64decode(get_secret_value_response['SecretBinary'])
    
    print(get_secret())

SECRET KEY RESOURCE POLICY
  

 {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::ACCOUNTB:role/ASHISHROLE"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

KMS POLICY

    {
        "Id": "key-consolepolicy-3",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow access for Key Administrators",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:role/OKin"
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true"
                    }
                }
            }
        ]
    }
Jaishree Mishra
  • 545
  • 2
  • 5
  • 24
  • Did you follow the instructions in [Share Secrets Manager Secrets Between Accounts](https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/), especially step #3 that grants IAM permission to the IAM Role to access the Secret in the Account-A? (You did not show this policy in your Question.) To explain, The IAM Role in Account-B must be specifically granted permission to call `secretsmanager:GetSecretValue` on the secret in Account-A (or all secrets) in additional to being granted access by the resource permissions added to the Secret itself. – John Rotenstein Sep 05 '20 at 04:46
  • @JohnRotenstein Please reply that as answer, So I can mark it as an answer. Yes I needed to add the policy in Account B as well. Also I had a syntax error like :secret:/* > which should be actual :secret:* – Jaishree Mishra Sep 07 '20 at 16:55

2 Answers2

15

The most difficult concept with cross-account permissions is that it requires granting permission from both directions.

In your situation, you have:

  • Secrets Manager in Account-A
  • EC2 instance in Account-B
  • An IAM Role (Role-B) in Account-B

This requires permissions from A to B:

  • The Secret in Account-A needs a "Secret Key Resource Policy" that permits access from Role-B (You have already done this)

And it also requires permissions from B to A:

  • Role-B must be given permission to access the Secret in Account-A

This might seem strange, but I like to think of it like this:

  • By default, an IAM User / IAM Role has no permission
  • To use the Secrets Manager (even in the same account), the IAM Role must be given permission such as secretsmanager:GetSecretValue -- otherwise it isn't permitted to do anything
  • By default, an AWS Account cannot be accessed from another AWS Account (eg I cannot access your account)
  • If an AWS Account is willing to have another account access it, then it must grant access. This can be done at the resource-level in services such as S3, SNS, SQS, KMS and Secrets Manager because they have the ability to create policies on resources. Services without this capability cannot grant cross-account access and must be used by assuming a role in the same account.

The configuration in your question appears to be missing the permissions that need to be granted to Role-B to access the Secrets Manager, such as:

{
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect": "Allow",
          "Action": "secretsmanager:GetSecretValue",
          "Resource": "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        }
      ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
0

Thank you John for your answer, but I wanted to piggyback off of you because I also had this same issue. One thing I also noticed is that the "Principal" key is required when setting up these permissions. So here is something similar to what I had to do, just replaced my Principal value with a wildcard:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "ALLOW",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": "*",
      "Resource": "**Your:resource:name:here**"
    }
  ]
}

So just make sure the Principal key is included at minimum and you should be good.

Ron
  • 151
  • 2