Search code examples
amazon-web-servicesaws-secrets-manager

AWS Secrets Manager cross account

How to access secrets from Secrets manager cross account by friendlyName and NOT the secretARN?

Scenario:

  • CMK KMS in AccountA - Key Policy attached for AccountB
  • Secrets stored in AccountA - Resource policy added to AccountB
  • EC2 in AccountB with IAM role(secret and cmk kms) attached

Observation: get secret details by calling --secret-id (ARN) of secrets works fine and I get the desired output

Issue:

aws secretsmanager get-secret-value --secret-id (friendlyName) --region region

get secret details by calling --secret-id (friendlyName) of secrets gets failed with error

An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::111111111:assumed-role/xxxx-xxxx-Role/i-xxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: (friendlyName)

Solution

  • The ARN encodes the Account the Secret belongs to, so if you want to achieve cross-account-access, you need to use the ARN. Otherwise it will try to find the resource in your account.

    You could also assume a role in the other account and using these credentials you'd be able to use the friendly name, but in that case you're essentially in the other account already and no longer do cross-account access.