Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Contact

Why do wildcard resources fail to work when defining secrets policy access?

I have the following terraform policy which allows access to all secrets (using jsonencode({}) and have trimmed the code for better readability):

{
    Action    = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
    Effect    = "Allow",
    Resource  = [
       "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:*",
    ]
}

This works fine, but when I try to limit the scope of the Resources it’s not working as expected:

{
    Action    = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
    Effect    = "Allow",
    Resource  = [
      "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:dev/AWS_*",
      "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:dev/MAIL_*",
      // .. etc
    ]
}

My assumption is that the above should allow access to dev/AWS_KEY, dev/AWS_SECRET, dev/AWS_WHATEVER and the same for the MAIL_*. I’m not entirely sure what I’m missing here?

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

>Solution :

You left out part of the ARN. When you just had * there it didn’t matter, but once you start making it more specific, you need to be aware of the ARN format:

An Amazon Resource Name (ARN) with the following format:

arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters

You left out the :secret part of the ARN.

I believe your code needs to look like this:

{
    Action    = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
    Effect    = "Allow",
    Resource  = [
      "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:secret:dev/AWS_*",
      "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:secret:dev/MAIL_*",
      // .. etc
    ]
}
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading