AWS Secrets Manager 资源策略拒绝除一个角色外的所有角色

Question

I have a secret in secrets manager and there are multiple IAM roles in the system.我在 secrets manager 中有一个 secret，系统中有多个 IAM 角色。 I only want only one role to access the scecret.我只想让一个角色访问秘密。 Unfortunately there are some other IAM roles that have full Secrets Manager privileges.不幸的是，还有一些其他 IAM 角色具有完整的 Secrets Manager 权限。 So i want to restrict the access to the secret to all other roles except desired one by me.所以我想将对秘密的访问限制为除我想要的角色之外的所有其他角色。

roles角色

IAM_role_that_need_to_access_the_secret. IAM_role_that_need_to_access_the_secret。
IAM_role_1_that_should_not_access_the_secret. IAM_role_1_that_should_not_access_the_secret。
IAM_role_2_that_should_not_access_the_secret. IAM_role_2_that_should_not_access_the_secret。

The following is working.以下是工作。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret",
        "AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
      },
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

But i want to Deny access to all roles without explicitly mentioning each of them in the Deny permission section.但我想拒绝访问所有角色，而不在拒绝权限部分明确提及每个角色。 Something like below.像下面这样的东西。 But it will restrict to all roles including the desired role.但它会限制所有角色，包括所需的角色。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {"AWS": "*"},
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "secretsmanager:VersionStage": "AWSCURRENT"
        }
      }
    }
  ]
}

Answer 1

Update:更新：

I asked AWS Support, and they said:我询问了 AWS Support，他们说：

It is a known issue where NotPrinicipal fails the resource policy with an explicit deny.这是一个已知问题，即NotPrinicipal以显式拒绝使资源策略失败。

The workaround is to use "StringNotEquals":"aws:PrincipalArn" condition key.解决方法是使用"StringNotEquals":"aws:PrincipalArn"条件键。

Previous answer:上一个答案：

~~You can use NotPrincipal~~ :~~您可以使用NotPrincipal~~ ：

    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      ...

Answer 2

You could create a KMS key then create a policy for the KMS key which grants access only to the roles you need.您可以创建一个KMS 密钥，然后为KMS 密钥创建一个策略，该策略仅授予对您需要的角色的访问权限。 Something like below:像下面这样：

 { "Version": "2012-10-17", "Id": "key-default-admin", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>", "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole", "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>" ] }, "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*" }, { "Sid": "Deny use of the key", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root" }, "Action": "kms:*", "Resource": "*", "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>", "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>" ] } } } ] }

Answer 3

I was able to achieve this with using a Condition on the Resource Policy and specifying the ARN of the Role in aws:PrincipalArn (Ref: https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/ )我能够通过在资源策略上使用条件并在 aws:PrincipalArn 中指定角色的 ARN 来实现这一点（参考： https://aws.amazon.com/blogs/security/iam-makes-it-easier-为 aws-services-accessing-resources/ 管理权限/ ）

{
  "Version" : "2012-10-17",
  "Statement" : [ 
    {
        "Sid" : "Get",
        "Effect" : "Deny",
        "Principal" : "*",
        "Action" : "secretsmanager:GetSecretValue",
        "Resource" : "<<ARN OF Secret>>",
        "Condition" : {
          "StringNotLike" : {
            "aws:PrincipalArn" : [ 
                "<<ARN of IAM_role_that_need_to_access_the_secret>>" ]
          }
    }
  } ]
}

AWS Secrets Manager 资源策略拒绝除一个角色外的所有角色

问题描述

3 个解决方案

解决方案1
0 2020-09-16 11:57:03

解决方案2
0 2021-01-17 21:21:55

解决方案3
0 2022-04-18 14:32:06

AWS Secrets Manager 资源策略拒绝除一个角色外的所有角色

问题描述

3 个解决方案

解决方案1 0 2020-09-16 11:57:03

解决方案2 0 2021-01-17 21:21:55

解决方案3 0 2022-04-18 14:32:06

解决方案1
0 2020-09-16 11:57:03

解决方案2
0 2021-01-17 21:21:55

解决方案3
0 2022-04-18 14:32:06