Assigning permission to single cognito user access to a secret created on AWS's Secret Manager
Question
I have created a secret on AWS's Secrets Manager. I have a python service with cognito authentication, and I want to assign to a particular user permission to get this secret. I created the following policy to allow users to get the secret's value.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:test_secret*"
}
]
}
I've then assigned this policy to my cognito identity pool's Authenticated role. Now every user in this pool has permission to get this secret's value. But I need to assign this permission to a single user, not all of them. Is there any way to do this?
2 answers
solution1
1 ACCPTED 2018-12-18 18:27:36
You can put this user in a group and let this group assume a IAM Role. Then attach the right to the IAM Role.
solution2
0 2020-01-18 19:39:26
You can write your authenticated user IAM policy in a way that it only allows them permission to access resources that they create. Eg:
- Instantiate an AWS secretsmanager client using the ID token you get from CognitoIdentity
- Specify your authenticated policy to look something like this:
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"secretsmanager:UpdateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:DeleteSecret"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Sub",
"Service"
]
},
"StringEquals": {
"secretsmanager:ResourceTag/Service": "MYSERVICE",
"secretsmanager:ResourceTag/Sub": "${cognito-identity.amazonaws.com:sub}"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource",
"secretsmanager:CreateSecret"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Sub",
"Service"
]
},
"StringEquals": {
"aws:RequestTag/Service": "MYSERVICE",
"aws:RequestTag/Sub": "${cognito-identity.amazonaws.com:sub}"
}
}
}
]
}
}
3) When you create the secret, be sure to apply tags in the CreateSecret request that map to your users identitypoolid and service name. (If you don't, your request will fail.)
Your users will now only be able to access secrets that they create. This is secure because the "${cognito-identity.amazonaws.com:sub}" value will be interpolated based on the AWS SDK session credentials. Ie your other users' clients will have different "sub" values embedded as part of their session credentials, so they won't be able to access secrets they didn't create.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.