AWS Secrets Manager 跨账户
[英]AWS Secrets Manager cross account
问题描述
How to access secrets from Secrets manager cross account by friendlyName and NOT the secretARN?
如何通过友好名称而不是 secretARN 从 Secrets manager 跨帐户访问秘密?
Scenario:设想:
- CMK KMS in AccountA - Key Policy attached for AccountB AccountA 中的 CMK KMS - 为 AccountB 附加的密钥策略
- Secrets stored in AccountA - Resource policy added to AccountB存储在 AccountA 中的机密 - 添加到 AccountB 的资源策略
- EC2 in AccountB with IAM role(secret and cmk kms) attached附加了 IAM 角色(秘密和 cmk kms)的 AccountB 中的 EC2
Observation: get secret details by calling --secret-id (ARN) of secrets works fine and I get the desired output观察:通过调用 --secret-id (ARN) of secrets 获取秘密细节工作正常,我得到所需的 output
Issue:问题:
aws secretsmanager get-secret-value --secret-id (friendlyName) --region region
get secret details by calling --secret-id (friendlyName) of secrets gets failed with error通过调用 --secret-id (friendlyName) of secrets 获取机密详细信息失败并出现错误
An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::111111111:assumed-role/xxxx-xxxx-Role/i-xxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: (friendlyName)
1 个解决方案
解决方案1
1 2021-05-17 07:43:10
The ARN encodes the Account the Secret belongs to, so if you want to achieve cross-account-access, you need to use the ARN. ARN 对 Secret 所属的 Account 进行编码,因此如果要实现跨账户访问,则需要使用 ARN。 Otherwise it will try to find the resource in your account.否则它将尝试在您的帐户中查找资源。
You could also assume a role in the other account and using these credentials you'd be able to use the friendly name, but in that case you're essentially in the other account already and no longer do cross-account access.您还可以在另一个帐户中担任角色并使用这些凭据,您可以使用友好名称,但在这种情况下,您实际上已经在另一个帐户中并且不再进行跨帐户访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.