0

I'm trying to make an AWS Secrets Manager resource to be accesed only by certain user by writing a resource policy for the Secrets Manager but I can't make it work, I have tried a policy with Allow and Deny with Principal and NotPrincipal, a Deny policy with NotPrincipal and Condition, NotArnLike with aws:SourceArn. All this configs with the arn of the user arn:aws:iam::123456789012:user/fbuccioni.

My scenario is kinda root account, 2 devops with user/policy privileges to 3rd parties and need only the root account access to the secretsmanager:GetValue action. That's why I'm trying to securize the resource instead doing separate IAM identity based policies.

How can I make it work?

Is there a default Deny policy and I have to Allow? in the aws examples have an allow condition only.

Felipe Buccioni
  • 19,109
  • 2
  • 28
  • 28

2 Answers2

0

Did you also added an identity-based policy to the IAM identity to allow the access to such secret?

https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html

By default, IAM identities don't have permission to access secrets. When authorizing access to a secret, Secrets Manager evaluates the resource-based policy attached to the secret and all identity-based policies attached to the IAM user or role sending the request.

After clarification, your goal is to restric the access to the secret manager instance to only the root account. Can you give a try to this statement?

statement {
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::<acount-number>:root"
      ]
    }
    actions = [
Your permissions here
    ]
    resources = ["*"]
    condition {
      test     = "StringLike"
      variable = "aws:PrincipalType"
      values = [
        "Account"
      ]
    }
  }

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

v-rosa
  • 101
  • 1
  • 5
  • Oviously I evaluate the IAM identity based policy, but I have also restrict the capability of create users and permission for some other users, it makes me restructure several policies unnecesarely because I only need to restricts the secrets manager, I do that with an SQS but here I cannot make it work in secrets manager – Felipe Buccioni May 18 '23 at 12:57
  • Sorry I don't understand. Could you share both the resource policy and the identity policy of the user trying to access the secret? Could you also share the exact error you're getting? – v-rosa May 18 '23 at 13:05
  • Sorry I don't understand your suggestion is to use IAM identity policies instead resource policy?, my scenario is the root account + 3 devops with admin privileges able to create users for 3rd party providers – Felipe Buccioni May 18 '23 at 13:31
  • From your initial message it's not clear your goal. Thanks for clarifying. So you're exploring ways to create IAM users which use case is to grant access to AWS secret manager right? – v-rosa May 18 '23 at 13:38
  • When these users for 3rd parties try to access the Secret Manager you created it fails, it this correct? – v-rosa May 18 '23 at 13:40
  • I need to grant access only to the root user, no devops, no 3rd parties – Felipe Buccioni May 18 '23 at 13:51
  • Understood. I've updated my initial response give it a try. – v-rosa May 18 '23 at 13:54
0

To make it work I have to do several tests and research but finally I got the answer.

For IAM users

I start doing the tests without the root user, so I try with an IAM user, the policy doesn't work with Principal statement in any possibly value, I have to do a Condition to make it work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AIDA1EXAMPLE2USER3ID4",
            "012345678987"
          ]
        }
      }
    }
  ]
}

being AIDA1EXAMPLE2USER3ID4 the User ID and 012345678987 the account number ID, you can retrieve the UserID with the command:

aws sts get-caller-identity

For Root account

The root account have the superpower to overpass any policy or permission, you just have to lock for everything and voila.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*"
    }
  ]
}
Felipe Buccioni
  • 19,109
  • 2
  • 28
  • 28