Search code examples
amazon-web-servicesaws-lambdaaws-secrets-manager

aws secrets manger and multiple accounts

I have a secret in one account that I want to share in another account. In the other account we have a lambda function that will need this secret. I followed this and it works great.

AWS share secrets between accounts

Now we want to see if instead of granting access to every user that invokes this lambda is there a way to grant access to a group or a role in the other account access to the secret. I tried using the role that invokes the function but I got denied in the response for the lambda. Then next I tried a group in the other account but it wouldn't let me save it. I just kept telling the principal was not correct. Thanks.

So here is what I used for policies. Policy on the Customer Managed Key

{
        "Sid": "Permissions for external users",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::external-acct:role/Cross-Account-KMS-Role"
        },
        "Action": [
            "kms:Decrypt",
            "kms:DescribeKey"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com"
            },
            "StringLike": {
                "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:us-east-1:central-acct:secret:my-secret"
            }
        }
    }

Now on the secret itself we set this policy up.

{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
  "AWS" : "arn:aws:iam::external-acct:role/Cross-Account-KMS-Role"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*",
"Condition" : {
  "ForAnyValue:StringEquals" : {
    "secretsmanager:VersionStage" : "AWSCURRENT"
  }
}}

Then on the external account we created this policy

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:us-east-1:central-acct:secret:my-secret"
    },
    {
        "Effect": "Allow",
        "Action": "kms:Decrypt",
        "Resource": "arn:aws:kms:us-east-1:central-acct:key/customer-key-1"
    }
]

}

then we atached the policy to the Role above. Now when i did this for my own account instead of the role I can use aws cli and pull the secret. Now of course i wasn't using the role but my account.

Solution

  • Ok, So I figured it out. It seems that the resource policy on the CMK was wrong. I had used one like this

    arn:aws:kms:us-east-1:my_acct:key/my_policy

    When I needed one like this.

    arn:aws:kms:us-east-1:my_acct:key/my_policy_id