问题描述
我在ACCOUNT A中存储了一个秘密密钥(USrftP),我想从AC2 B中以角色ASHISHROLE的身份从EC2框中访问此密钥。我正在运行python代码以获取如下所示的秘密密钥,秘密使用资源策略关键如下,KMS政策如下,但仍然出现此问题
botocore.exceptions.ClientError:调用GetSecretValue操作时发生错误(AccessDeniedException):用户:arn:aws:sts :: ACCOUNTB:assumed-role / ASHISHROLE / i-********* is未经授权执行:secretsmanager:GetSecret资源上的值:arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USrftP-KJHJH
import boto3
import base64
from botocore.exceptions import ClientError
def get_secret():
secret_name = "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USrftP"
region_name = "us-east-2"
# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',region_name=region_name
)
print("here")
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
if 'SecretString' in get_secret_value_response:
return get_secret_value_response['SecretString']
else:
return base64.b64decode(get_secret_value_response['SecretBinary'])
print(get_secret())
SECRET KEY RESOURCE POLICY
{
"Version" : "2012-10-17","Statement" : [ {
"Effect" : "Allow","Principal" : {
"AWS" : "arn:aws:iam::ACCOUNTB:role/ASHISHROLE"
},"Action" : "secretsmanager:GetSecretValue","Resource" : "*"
} ]
}
KMS POLICY
{
"Id": "key-consolepolicy-3","Version": "2012-10-17","Statement": [
{
"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:root"
},"Action": "kms:*","Resource": "*"
},{
"Sid": "Allow access for Key Administrators","Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:role/OKin"
},"Action": [
"kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:disable*","kms:Get*","kms:Delete*","kms:TagResource","kms:UntagResource","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"
],{
"Sid": "Allow use of the key","Principal": {
"AWS": "arn:aws:iam::ACCOUNTB:root"
},"Action": [
"kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"
],{
"Sid": "Allow attachment of persistent resources","Action": [
"kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"
],"Resource": "*","Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
解决方法
具有跨帐户权限的最困难概念是它需要双向授予权限。
您遇到的情况是:
- 帐户A中的秘密管理器
- 帐户B中的EC2实例
- 帐户B中的IAM角色(
Role-B)
这需要A到B的权限:
- 帐户A中的秘密需要一个“秘密密钥资源策略”,以允许从角色B进行访问(您已经完成了此操作)
并且它还需要B到A的权限:
-
必须授予
-
Role-B访问帐户A中的秘密的权限
这可能看起来很奇怪,但是我喜欢这样想:
- 默认情况下,IAM用户/ IAM角色没有权限
- 要使用Secrets Manager(即使在同一帐户中也要使用),必须授予IAM角色诸如
secretsmanager:GetSecretValue之类的权限-否则不允许执行任何操作 - 默认情况下,无法从另一个AWS账户访问一个AWS账户(例如,我无法访问您的账户)
- 如果一个AWS账户愿意让另一个账户访问它,那么它必须授予访问权限。可以在服务(例如S3,SNS,SQS,KMS和Secrets Manager)中的资源级别完成此操作,因为它们具有创建资源策略的能力。没有此功能的服务无法授予跨帐户访问权限,必须通过在同一帐户中扮演角色来使用。
您问题中的配置似乎缺少Role-B授予访问Secrets Manager所需的权限,例如:
{
"Version" : "2012-10-17","Statement" : [
{
"Effect": "Allow","Action": "secretsmanager:GetSecretValue","Resource": "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
}
]
}