Sharing Secrets in Secrets Manager with Other AWS Accounts
Say you have a secret stored in AWS Secrets Manager in Account A & you need to make this secret available for use by an IAM user in Account B. The secret could be anything you want to keep hidden, like database credentials, API keys, etc. This article explains the steps involved in allowing cross-account access to that secret.
This can be achieved in 3 steps. First, we let the user access the secret by attaching a policy to the IAM user. But since the secret is encrypted, the user also needs permission to decrypt it. We’ll include this in the policy as well. Next, we attach a policy to CMK to allow the user to decrypt the secret using it. Then we attach a policy to the secret itself to let the user fetch it across accounts.
Start by attaching an inline policy to the user in Account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "ARN of the Secret in Account A"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource":"ARN of the CMK in Account A"
}
]
}Next, edit the CMK’s policy & add a statement to it:
{
"Effect": "Allow",
"Principal": {
"AWS": "ARN of the IAM User in Account B"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "ARN of this CMK"
}Finally, add this policy to the secret in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "ARN of the IAM User in Account B"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}That’s all! The user should now be able to fetch the secret. You can test this via the AWS CLI using “aws secretsmanager get-secret-value”.
Harish KM is a Cloud Evangelist & a Full Stack Engineer at QloudX. He is very passionate about cloud-native solutions & using the best tools for his projects. With 10+ cloud & IT certifications, he is an expert in a multitude of application languages & is up-to-date with all new offerings & services from cloud providers, especially AWS.