stackoom
  简体   繁体   中英

Receiving error "User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: secretmanager:GetSecretValue on resouce: my_Resource"?

 原文  2022-02-27 05:12:41       python/ amazon-web-services

Question

I am trying to execute my code from my ide and connect to aws resources through boto3. I go into the Secrets portal of the aws console. Inside aws secrets manager I find the resource titled my_api where my secrets are stored. I copy that name so that I can access the dict response of values needed. I use the following code in my ide to try and retrieve that dict response:

import boto3

client=boto3.client("secretmanager")
reponse=client.get_secret_value(
secretId="my_api"
)
print(response)

I added that code to a python file inside my ide and ran it in the vscode with the built-in terminal writing: python my_boto3.py and received the following error:

raise error_class(parsed_reponse, operation_name) botocore.exception.ClientError: An error 
occured (AccessDeniedException) when calling the GetSecretValue operation: 
User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: 
secretmanager:GetSecretValue on resouce: my_Resource because no identity-based policy allows 
the secretsmanager:GetSecretValue action"

But when I go into my aws to find the associated lambda function and use that same line of code inside the aws code editor it runs fine and prints the results. What is causing the disconnect between my local environment giving that error and aws environment printing the desired results?

Before I was getting this error: Unable to parse config file: /Users/hugo/.aws/config . But I resolved this issue by simply opening the aws config file and copying and pasting the aws_access_key_id and aws_secret_access_key found inside the secret manager for my_api like so:

[default]
region=us-west-2
aws_access_key_id=xxxxxx
aws_secret_access_key=xxxxxx

Any help is appreciated.

Thanks

1 answers

solution1
 1 ACCPTED  2022-02-27 05:16:53

my_Api does not have secretmanager:GetSecretValue permissions. You can add an inline policy to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

You can replace * with the ARN of the secret to be more secure.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS API Gateway: User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api: Assumed role python error is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx How to solve (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."? voclabs is not authorized to perform: iam:AttachUserPolicy on resource: user Olivia because no identity-based policy allows the iam:AttachUserPolicy AWS StsClient: User not authorized to perform: sts:AssumeRole on resource Amplify, User is not authorized to preform iam:passRole on resource AWS, GitHub Action: User is not authorized to perform: sts:AssumeRole on resource(CodePipeline) AWS User is not authorized to access this resource User is not authorized to perform: dynamodb:PutItem on resource AWS Quicksight - transfer ownership of a user resouce before deleting it by API
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM