-1

I am having my EC2 in Dev account and my credentials are in the Security account of AWS, I am trying to retrieve secrets from Secret Manager from my security account, Both EC2 and credentials are in a different region

aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-2:2222222:secret:demo/democreds/secret_string --version-stage  AWSCURRENT --region us-east-2

I am able to get the secrets by the above command, but when running terraform plan I am getting this error :

Error: error reading Secrets Manager Secret Version: AccessDeniedException: User: arn:aws:sts::1111111111:assumed-role/user_name/xxxxxxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:222222222:secret:demo/democreds/secret_string
    status code: 400, request id: 123dcdaaaa-cdcd33-2bb0d-6dhbc-083gbd6622111

I have already attached a policy to role which I am using for secretsmanager:GetSecretValue

Akash
  • 31
  • 1
  • 6
  • For cross-region access you need a second `provider` in your terraform code, there you can specify the different region. You blanked out the interesting part of the arn where the region would be, I am guessing the arn in the error message contains the wrong region!? – luk2302 Apr 23 '21 at 12:51
  • @luk2302 thanks for the comment, I have checked the ARNs they are correct, my ec2 is in a different region, and creds are placed in different region in different account – Akash Apr 23 '21 at 12:55
  • Then you need to provide more detail and not remove so much useful stuff. Which regions are involved, which accounts (you can use 111111 and 22222 as account ids but include them so we know what is cross account and what is not), which users, what are the permissions involved here? – luk2302 Apr 23 '21 at 13:00
  • check now and ec2 is in ca-central-1 – Akash Apr 23 '21 at 13:06
  • As what user do your perform the first request? As one in `1111111111` or in `2222222`? – luk2302 Apr 23 '21 at 13:11
  • https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/ – luk2302 Apr 23 '21 at 13:12

3 Answers3

1

It is actually very tricky the way how it works.

You can access a secret from "Account A and eu-central-1 region" that is created in "Account B and eu-west-1 region" using AWS CLI by specifying --region parameter to match with the region of the source Account B (eu-west-1):

# Account A
# region: eu-central-1

$ aws secretsmanager get-secret-value --secret-id="arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x" --region eu-west-1
# {valid result}

If you do not specify the --region eu-west-1, despite the fact that you indicate the ARN of the secret, which includes the region where the secret is located, the call to AWS Secrets Manager API is made to the region of the client (eu-central-1), resulting in the following error:

$ aws secretsmanager get-secret-value --secret-id="arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x"

An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::7654321:assumed-role/my-role/my-session is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x because no resource-based policy allows the secretsmanager:GetSecretValue action

This can be solved without Secret Replication to another region (no additional costs) by always specifying the --region parameter to the request when you use AWC CLI or SDK. The same applies to terraform, where you can probably use a different provider in some cases.

However, when it comes to Lambda Event Source or other AWS components (for example a resource needs to be created in region eu-west-1 and access a secret from region eu-central-1, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping#amazon-mq-activemq) that make the call to AWS Secrets Manager by only specifying the ARN (user has no possibility to specify the region where is the secret), you MUST replicate the secret to the same region where the consumer is calling from, which means extra costs (basically, $0.40 per secret, $0.40 per replica).

Can't AWS just detect that secret we try to get from Account A is in eu-west-1 region, based on the ARN? No? Yes?

ref: https://aws.amazon.com/blogs/security/how-to-replicate-secrets-aws-secrets-manager-multiple-regions/

Nick Vladiceanu
  • 151
  • 2
0

Solved this, by replicating the secret in the security account in the same region as EC2 in another account. Regions have to match if we are retrieving secrets from other account via terraform.

Akash
  • 31
  • 1
  • 6
0

You can pull secrets across account/region via CLI with and terraform. As stated above, you do need the --region flag for the AWS CLI to pull the secret (and needed permissions set).

For terraform, you can also pull the secret across account/region by using a different provider.

  1. First create a role in the desired secret's AWS account which gives access to the desired secret and it's KMS key.
  2. Next create a provider resource and set the region equal to the region your secret exists in, configure it to assume the role you just created. https://registry.terraform.io/providers/hashicorp/aws/latest/docs

Here is an example of the provider resource I used:

provider "aws" {
  region = "us-east-1"
  alias  = "secret_role"
  assume_role {
    role_arn = var.secret_role_arn
  }
}
  1. Finally, you can create an aws_secretsmanager_secret_version data source in terraform for the secret which takes in the ARN and optionally a provider which you would set to the provider that you just created. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version

After these changes, your terraform should be able to read secrets across regions :)

mameurer
  • 505
  • 1
  • 4
  • 5