Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Secrets Manger - Always Error even when the policy is correct

Tags:

amazon-web-services

aws-secrets-manager

resource-based-authorization

I have the following resource policy for my AWS Secrets Manager

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "policyForSomething",
    "Effect" : "Deny",
          "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [ "arn:aws:sts::**********:assumed-role/####/USERG", 
          "arn:aws:sts::**********:assumed-role/####/USER1",
          "arn:aws:sts::**********:assumed-role/####/USER2", 
          "arn:aws:sts::**********:assumed-role/####/USER3", 
          "arn:aws:sts::**********:assumed-role/####/USER4" ]
        }
      },
    "Action" : "secretsmanager:*",
    "Resource" : "arn:aws:secretsmanager:us-west-2:*******:secret:/*"
  }]
}

When I try to check using New Policy wizard, I don't see any error. But when I put it in the Resource Policy area for Secrets Manager, it's always Complaining "This Resource policy contains a syntax error".

Other than the fact that "AWS UI and error messages aren't always helpful" - could anyone help me understanding why this is an issue?

like image 500
ha9u63ar Avatar asked Oct 17 '25 21:10

ha9u63ar

1 Answers

You're required to have one of Principal and NotPrincipal in your resource-based policy. Try using Principal with Allow, or NotPrincipal with Deny.

Also, since you are using a resource-based policy, the Resource automatically and implicitly becomes the secret with your policy. (So you can safely use '*' there)

  1. Principal with Allow:

     {
     "Version": "2012-10-17",
     "Statement": [{
         "Sid": "policyForSomething",
         "Effect": "Allow",
         "Principal": {
             "AWS": [
                 "arn:aws:sts::**********:assumed-role/####/USERG",
                 "arn:aws:sts::**********:assumed-role/####/USER1",
                 "arn:aws:sts::**********:assumed-role/####/USER2",
                 "arn:aws:sts::**********:assumed-role/####/USER3",
                 "arn:aws:sts::**********:assumed-role/####/USER4"
             ]
         },
         "Action": "secretsmanager:*",
         "Resource": "*"
     }]
 }

  2. NotPrincipal with Deny:

     {
     "Version": "2012-10-17",
     "Statement": [{
         "Sid": "policyForSomething",
         "Effect": "Deny",
         "NotPrincipal": {
             "AWS": [
                 "arn:aws:sts::**********:assumed-role/####/USERG",
                 "arn:aws:sts::**********:assumed-role/####/USER1",
                 "arn:aws:sts::**********:assumed-role/####/USER2",
                 "arn:aws:sts::**********:assumed-role/####/USER3",
                 "arn:aws:sts::**********:assumed-role/####/USER4"
             ]
         },
         "Action": "secretsmanager:*",
         "Resource": "*"
     }]
 }

Reference:

  • https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_grammar.html
like image 88
tianz Avatar answered Oct 19 '25 12:10

tianz
Sign in to Comment

Related questions

AWS specific parameters and EC2 SecurityGroupIds List String Error
Correct way to get multi-AZ cluster on EKS
Using both AttributesToGet and KeyConditionExpression with boto3 and dynamodb
Why is my AWS RDS server giving me this "no encryption" error when connecting?
AWS Lambda Dependency Injection: Cannot dynamically create an instance of type 'TestDep.Function'. Reason: No parameterless constructor defined
How can I create profiles in the AWS CloudShell to access different roles?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!