I have the following terraform policy which allows access to all secrets (using jsonencode({}) and have trimmed the code for better readability):
{
Action = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
Effect = "Allow",
Resource = [
"arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:*",
]
}
This works fine, but when I try to limit the scope of the Resources it’s not working as expected:
{
Action = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
Effect = "Allow",
Resource = [
"arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:dev/AWS_*",
"arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:dev/MAIL_*",
// .. etc
]
}
My assumption is that the above should allow access to dev/AWS_KEY, dev/AWS_SECRET, dev/AWS_WHATEVER and the same for the MAIL_*. I’m not entirely sure what I’m missing here?
>Solution :
You left out part of the ARN. When you just had * there it didn’t matter, but once you start making it more specific, you need to be aware of the ARN format:
An Amazon Resource Name (ARN) with the following format:
arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters
You left out the :secret part of the ARN.
I believe your code needs to look like this:
{
Action = [ "secretsmanager:DescribeSecret", "secretsmanager:List*", "secretsmanager:Get*" ]
Effect = "Allow",
Resource = [
"arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:secret:dev/AWS_*",
"arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id_dev}:secret:dev/MAIL_*",
// .. etc
]
}