I'm trying to make an AWS Secrets Manager resource to be accesed only by certain user by writing a resource policy for the Secrets Manager but I can't make it work, I have tried a policy with Allow and Deny with Principal and NotPrincipal, a Deny policy with NotPrincipal and Condition, NotArnLike with aws:SourceArn. All this configs with the arn of the user arn:aws:iam::123456789012:user/fbuccioni.
My scenario is kinda root account, 2 devops with user/policy privileges to 3rd parties and need only the root account access to the secretsmanager:GetValue action. That's why I'm trying to securize the resource instead doing separate IAM identity based policies.
How can I make it work?
Is there a default Deny policy and I have to Allow? in the aws examples have an allow condition only.
To make it work I have to do several tests and research but finally I got the answer.
I start doing the tests without the root user, so I try with an IAM user, the policy doesn't work with Principal statement in any possibly value, I have to do a Condition to make it work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA1EXAMPLE2USER3ID4",
"012345678987"
]
}
}
}
]
}
being AIDA1EXAMPLE2USER3ID4 the User ID and 012345678987 the account number ID, you can retrieve the UserID with the command:
aws sts get-caller-identity
The root account have the superpower to overpass any policy or permission, you just have to lock for everything and voila.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
],
"Resource": "*"
}
]
}