I’m having a challenge at my company where a solution that is working for other teams isn’t working for us, and I’m trying to find out why.
We have an IAM user, lets says iam-devuser is the name of the IAM user.
We have a secret in secrets manager in the same account called iam-devuser
That IAM user has an inline policy attached to it that grants GetSecretValue for the secret to the IAM user, using the partial-arn.
If I make a call to get-secret-value from the AWS CLI using a profile with the IAM credentials, I get an error that no identity based policy allows the action.
If I duplicate the policy, and use the full-arn, then my CLI call works.
I see an issue if the secret ends with a hyphen and 6 characters, but our secret ends with a hyphen and more than 6 characters.
Are there any other reasons that a partial-arn wouldn’t work but a full arn would?
I’m having a challenge at my company where a solution that is working for other teams isn’t working for us, and I’m trying to find out why.
We have an IAM user, lets says iam-devuser is the name of the IAM user.
We have a secret in secrets manager in the same account called iam-devuser
That IAM user has an inline policy attached to it that grants GetSecretValue for the secret to the IAM user, using the partial-arn.
If I make a call to get-secret-value from the AWS CLI using a profile with the IAM credentials, I get an error that no identity based policy allows the action.
If I duplicate the policy, and use the full-arn, then my CLI call works.
I see an issue if the secret ends with a hyphen and 6 characters, but our secret ends with a hyphen and more than 6 characters.
Are there any other reasons that a partial-arn wouldn’t work but a full arn would?
Share asked Mar 11 at 0:03 David JacobsenDavid Jacobsen 4944 silver badges21 bronze badges1 Answer
Reset to default 1The partial ARN feature is useful when using SDK or compatible services to conveniently reference a secret.
However, in IAM policies, use the full ARN rather than the partial ARN. The very purpose of the 6-characters random string is so that principals with access to an old secret does not automatically get access to a new secret with the same name (link).
Secrets Manager includes six random characters at the end of the secret name to help ensure that the secret ARN is unique. If the original secret is deleted, and then a new secret is created with the same name, the two secrets have different ARNs because of these characters. Users with access to the old secret don't automatically get access to the new secret because the ARNs are different.
So IAM is the one place where you should not use partial ARN. If you really want to give access to any secret with the same name, use wildcard / * so that the intent is explicit.