By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access to KMS is not allowed when User Permission changes

0

Hi,

I created a new encryption key and gave user access to aws-elasticbeanstalk-ec2-role. Then, I created a Secret Manager and set the new encryption key as the one for the secret. Then I deployed the example code to elastic beanstalk and test it and all worked just fine.

Then I removed IAMFullAccess permission for my user and test it again but I got the following error message:
"An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed "

Then a added the IAMFullAccess permission and it worked again. It is important to say that other users have PowerUserAccess and IAMFullAccess so they can see everything.

Please tell me why is this happening and what can I do to use secret without having IAMFullAccess permission in my user.

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
bochagavia
asked 6 years ago7203 views
4 Answers
0

HI
You create your inline policy according to your need for the user or role and attach it if the required access is not present in the default aws roles / policies.

MuthukumarSiva
answered 6 years ago
0

Hi,
Thank you for your answer.
It is important to notice that the error message: "An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed" appears when trying to access to the secret from elastic beanstalk machine.
I gave aws-elasticbeanstalk-ec2-role IAMFullAccess permission and removed it from my user permissions and the same error appears.
What I want to achieve is the secret to be accessible from an elastic beanstalk machine but not from my user in the aws console.
any ideas?

bochagavia
answered 6 years ago
0

An error occurred (AccessDeniedException) when calling the GetSecretValue operation: Access to KMS is not allowed

The same error i'm getting when calling secretsmanager form python sdk, while in CLI working fine.

MilanTyagi
answered 5 years ago
0

Hello,
It appears that you have chosen to encrypt secrets with a AWS KMS customer master key (CMK). In such scenarios, you must provide permissions to decrypt using the CMK. This is in addition to the Secrets Manager permissions required to retrieve the secret. See KMS documentation on authorizing use of CMK with Secrets Manager for details: https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html
--Apurv

AWS-User-7689511
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content