GetSecretValue operation is not authorized error with AWS Secrets Manager

Question

I am looking to use AWS secret manager to store my RDS password. I have created my database entry in secret manager without any Rotation option, for now I just want to save a password and retrieve it from my local so I can test applications with it. I am trying to retrieve the password using the following code

import boto3
import base64
from botocore.exceptions import ClientError

session = boto3.session.Session(aws_access_key_id,aws_secret_access_key)
client = session.client('secretsmanager', region_name='Region')
get_secret_value_response = client.get_secret_value(SecretId='DBName')

And that is giving the following error

 An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:iam::12345678910:user/user is not authorized to perform: secretsmanager:GetSecretValue on resource: DBName

I have also tried to add an IAM policy thinking that might fix it but am unable to do so, I keep getting a "This Policy contains a Syntax error" message

{
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret",
        "Effect": "Allow"
        }
    ]
}

I am trying to understand whats going wrong here. Appreciate any help.

there will be a suffix for secret name correct? i usally give `arn:aws:secretsmanager:us-east-1: 12345678910:secret:DatabaseSecret-??????` as resource name having question marks in suffix — Balu Vyamajala, Mar 23 '21 at 04:55

score 23 · Answer 1 · answered Oct 19 '21 at 11:32

The policy needs to be created in IAM and attached to the user or role instead.

Open the IAM Dashboard by searching for IAM on the AWS Search Bar.
Click on "Users" or "Roles" on the left side.
Search for the user or role and open it.
Click "Add Permissions" or "Attach Policies".
For users, click "Attach existing policies directly". (Roles don't need this step.)
If you search and can't find a suitable policy, click "Create Policy".
Choose "Secrets Manager" as service and "GetSecretValue" as Action (You can search for these on each step.)
Click "Add ARN" under Resources and enter the region code as well as the secret ID with the 6-char mask. The preview ARN should reflect your complete ARN: arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????
Click "Add" then "Next: Tags" then "Next: Review".
Enter a name within the constraints, and click "Create policy".
Go back to the Attach Policy page and click the Refresh button (just above the table, on the right side).
Search for your policy, click the checkbox and click "Attach policy".
Test your application again.

Balu Vyamajala · Answer 2 · 2021-03-23T05:20:24.870

7

Secret manager resource name should have 6 question marks suffix, to match 6 random characters assigned by Secrets Manager.

If we give DatabaseSecret as resource name, it will throw not authorized.

If we give DatabaseSecret-* , it will match with other secrets DatabaseSecret-<anything-here>a1b2c3

So, we must give DatabaseSecret-?????? and policy will be something like:

{
    "Version":"2012-10-17",
    "Statement": [
        {
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:region:12345678910:secret:DatabaseSecret-??????",
        "Effect": "Allow"
        }
    ]
}

More details here.

edited Mar 23 '21 at 05:20

answered Mar 23 '21 at 05:09

Balu Vyamajala

9,287
1
20
42

**It looks like the OP is attempting to add this JSON in the secret's "Resource Permissions" field.** It won't work, as the policy needs to be created in IAM and attached to the user or role instead. I have outlined the full step-by-step guide in my own answer. – ADTC Oct 19 '21 at 11:34
what is 1234567890 in resource ? – Ujjual Oct 11 '22 at 10:09

score 4 · Answer 3 · answered Mar 24 '21 at 02:25

4

The issue was that the IAM user that I was using did not have he SecretsManager execution policy attached. After adding that execution policy to the user it worked fine.

answered Mar 24 '21 at 02:25

Sidhu177

457
1
6
13

1

Thanks to the short answer here, I have fixed my problem. Indeed, the policy needs to be created in IAM and attached to the user or role instead. **I have outlined the full step-by-step guide in my own answer.** – ADTC Oct 19 '21 at 11:36

Oleksandr Golovatyi · Answer 4 · 2021-11-13T07:42:02.843

True issue here even though you might have the policy is that getrandompassword can not be resource specific. Check IAM UI for the error. You got to change

{
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:xxxxx:secret:yoursecret-zzzz"
            ]
        },

to

{
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:xxxxx:secret:yoursecret-zzzz"
            ]
        },
    {
        "Effect": "Allow",
        "Action": "secretsmanager:GetRandomPassword",
        "Resource": "*"
    },

After digging into problem a bit more found more items cant be resource specific otherwise first rotation would fail which is documented in aws article: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html

{
    "Effect": "Allow",
    "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:GetRandomPassword",
        "secretsmanager:DescribeSecret",
        "secretsmanager:PutSecretValue",
        "secretsmanager:UpdateSecretVersionStage"
    ],
    "Resource": "*"
},

score 0 · Answer 5 · answered Jul 12 '23 at 11:36

0

In my case I omitted the region part which is required for secret manager resource. Make sure you put the full arn on the policy.

answered Jul 12 '23 at 11:36

Tom Marulak

633
4
10

GetSecretValue operation is not authorized error with AWS Secrets Manager

5 Answers5