Restrict access to ressources from AWS Secrets Manager to a group

Question

I have in my AWS Secrets Manager a few keys that need to be accessed from a EC2 instance using the command : aws secretsmanager get-secret-value --secret-id Test/Dev-key

I have created a IAM user that will only be used for this purpose and created a IAM group to apply the SecretManagerPolicy that I created. I want to this user to only have access to the key having Test/ in their names. So here is the policy I've made :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "arn:aws:secretsmanager:*:*:secret:Test/*"
        }
    ]
}

My user cannot access to any keys or list them. If I replace the Resource field with the full arn of a secret I can list all of them.

I also tried to add a condition using tags but I still can list secrets without the tag.

It's either I can access all secrets or none.

score 1 · Accepted Answer · answered Aug 06 '21 at 11:22

It worked for me.

To reproduce your situation, I did the following:

Created a Secret prefixed by Test/
Create an IAM User with this policy (and no other permissions):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "arn:aws:secretsmanager:*:*:secret:Test/*"
        }
    ]
}

Ran these commands with credentials from that IAM User:

aws secretsmanager get-secret-value --secret-id Test/bob --profile stack
{
    "ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:Test/bob-zWgaQW",
    "Name": "Test/bob",
    "VersionId": "...",
    "SecretString": "{\"foo\":\"bar\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": "2021-08-06T21:07:20.083000+10:00"
}

aws secretsmanager list-secrets --profile stack                         
{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:ap-southeast-2:123456789012:secret:Test/bob-zWgaQW",
            "Name": "Test/bob",
            "LastChangedDate": "2021-08-06T21:07:20.089000+10:00",
            "LastAccessedDate": "2021-08-06T10:00:00+10:00",
            "Tags": [],
            "SecretVersionsToStages": {
                "...": [
                    "AWSCURRENT"
                ]
            },
            "CreatedDate": "2021-08-06T21:07:20.042000+10:00"
        }
    ]
}

I then added a secret that was not in the Test/ prefix, and I was then unable to list-secrets as shown above. I then deleted that extra secret and was still unable to list secrets (possibly because the secret takes 7 days to be deleted).

Ok I just tried again without changing anything since a few hours and it works now. Is there a delay to wait for the rule to work ? — JeremP, Aug 06 '21 at 12:50
IAM can have a little delay, but never more than a minute or so. — John Rotenstein, Aug 06 '21 at 13:09

Restrict access to ressources from AWS Secrets Manager to a group

1 Answers1