AWS Secrets Manager Exception AccessDenied

Question

The issue briefly explained:

I am getting this AWSSecretsManagerException AccessDenied when my web application makes API calls to AWS Secrets Manager to get secret keys/data.

The issue in a little more detail:

I have a Web Application war file deployed to AWS ElasticBeanstalk. I have a front end React application on AWS Amplify that makes a HTTPS Request to the WAR file.

As part of handling this request the Web Application interfaces to PayPal's API. To make a successful request to use PayPal's API I need a token. To get that token my web app needs to make a request to PayPal to get that token by sending my Pay Pal Client ID and Secret key.

To not hardcode that into the app or to have a local config file with that client id and key in plain text, I decided to store those in AWS using AWS Secrets Manager. To access the keys stored there in my application I need to use the AWS Secrets Manager SDK. I did that by including this dependency on my Web Applications pom file.

<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-secretsmanager</artifactId>
    <version>1.11.700</version>
</dependency>

I then added code to retrieve the client id and secret using the AWS Secrets Manager SDK API.

When I run my Web Application locally on my machine on a Payara Server it works. Meaning I have a local React app on my machine that has the HTTP Request go to my local Web app on Payara (instead of on AWS), and the Web app successfully extracts the Client ID and Secrets from AWS Secrets Manager.

However when I deploy my Web Application to Elastic Beanstalk EC2 instance, I get the Exception above from my front end React app on AWS Amplify.

Answer 1

After a couple of hours I got the issue resolved.

First you have to notice the Role listed in the Exception (look at the bolded text):

com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException: User: arn:aws:sts::<......>:assumed-role/aws-elasticbeanstalk-ec2-role/<.....> is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:<......>:secret:<.....> (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: <.......>)

When you're in the AWS Console go to AWS->IAM. From there click on the roles link on the left side. Notice the role from the bolded text above is listed there (text circled in red).

Double click on that.

In this screenshot I already did it, but initially the SecretsManagerReadWrite policy (circled in red) wasn't there.

To get that policy, click on "Attach Policies". Then on the next page search for SecretsManagerReadWrite, and click on the checkbox. Click on "Attach Policy" button and now that role has it!

Now my HTTPS request from my React app on AWS Amplify makes the request to my Web App on ElasticBeanstalk and I no longer get that AWSSecretsManagerException AccessDenied message!