AWS Secret Manager访问拒绝问题

时间:2020-09-03 17:04:58

标签: amazon-web-services aws-secrets-manager

我在ACCOUNT A中存储了一个秘密密钥(USRFTP),我想从AC2 B中以角色ASHISHROLE的身份从EC2框中访问此密钥。我正在运行python代码以获取如下所示的秘密密钥,秘密使用资源策略关键如下,KMS政策如下,但仍然出现此问题

botocore.exceptions.ClientError:调用GetSecretValue操作时发生错误(AccessDeniedException):用户:arn:aws:sts :: ACCOUNTB:assumed-role / ASHISHROLE / i-********* is未经授权执行:secretsmanager:GetSecret资源上的值:arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP-KJHJH 

    import boto3
    import base64
    from botocore.exceptions import ClientError
    def get_secret():
        secret_name = "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        region_name = "us-east-2"
        # Create a Secrets Manager client
        session = boto3.session.Session()
        client = session.client(
            service_name='secretsmanager',
            region_name=region_name
        )
        print("here")

        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
        if 'SecretString' in get_secret_value_response:
            return  get_secret_value_response['SecretString']
        else:
            return  base64.b64decode(get_secret_value_response['SecretBinary'])
    
    print(get_secret())

SECRET KEY RESOURCE POLICY
  

 {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::ACCOUNTB:role/ASHISHROLE"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

KMS POLICY

    {
        "Id": "key-consolepolicy-3",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            },
            {
                "Sid": "Allow access for Key Administrators",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTA:role/OKin"
                },
                "Action": [
                    "kms:Create*",
                    "kms:Describe*",
                    "kms:Enable*",
                    "kms:List*",
                    "kms:Put*",
                    "kms:Update*",
                    "kms:Revoke*",
                    "kms:Disable*",
                    "kms:Get*",
                    "kms:Delete*",
                    "kms:TagResource",
                    "kms:UntagResource",
                    "kms:ScheduleKeyDeletion",
                    "kms:CancelKeyDeletion"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow use of the key",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:Encrypt",
                    "kms:Decrypt",
                    "kms:ReEncrypt*",
                    "kms:GenerateDataKey*",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            },
            {
                "Sid": "Allow attachment of persistent resources",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::ACCOUNTB:root"
                },
                "Action": [
                    "kms:CreateGrant",
                    "kms:ListGrants",
                    "kms:RevokeGrant"
                ],
                "Resource": "*",
                "Condition": {
                    "Bool": {
                        "kms:GrantIsForAWSResource": "true"
                    }
                }
            }
        ]
    }

1 个答案:

答案 0 :(得分:1)

具有跨帐户权限的最困难概念是它需要双向授予权限

您遇到的情况是:

  • 帐户A中的秘密管理器
  • 帐户B中的EC2实例
  • 帐户B中的IAM角色(Role-B

这需要A到B的权限:

  • 帐户A中的秘密需要一个“秘密密钥资源策略”,以允许从角色B进行访问(您已经完成了此操作)

并且它还需要B到A的权限:

    必须授予
  • Role-B访问帐户A中的秘密的权限

这可能看起来很奇怪,但是我喜欢这样想:

  • 默认情况下,IAM用户/ IAM角色没有权限
  • 要使用Secrets Manager(即使在同一帐户中也要使用),必须授予IAM角色诸如secretsmanager:GetSecretValue之类的权限-否则不允许执行任何操作
  • 默认情况下,无法从另一个AWS账户访问一个AWS账户(例如,我无法访问您的账户)
  • 如果一个AWS账户愿意让另一个账户访问它,那么它必须授予访问权限。可以在服务(例如S3,SNS,SQS,KMS和Secrets Manager)中的资源级别完成此操作,因为它们具有创建资源策略的能力。没有此功能的服务无法授予跨帐户访问权限,必须通过在同一帐户中扮演角色来使用。

您问题中的配置似乎缺少Role-B授予访问Secrets Manager所需的权限,例如:

{
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect": "Allow",
          "Action": "secretsmanager:GetSecretValue",
          "Resource": "arn:aws:secretsmanager:us-east-2:ACCOUNTA:secret:USRFTP"
        }
      ]
}
相关问题
最新问题