I am unable to access an AWS Secrets Manager secret from another KMS account after updating the encryption key, and receive an error message. How can I resolve this?

Last updated: 2021-01-08

I attempted to retrieve or access an AWS Secrets Manager secret, and I received an error similar to one of the following:

"Access to KMS is not allowed", "InternalFailure", or "An unknown error occurred".

-or-

"Access to KMS is not allowed. This version of secret is not encrypted with the current KMS key."

Short description

Changing the encryption key associated with a Secrets Manager secret does not re-encrypt current or previous versions of the secret with the new encryption key using the AWS Command Line Interface (AWS CLI). This means that external accounts, also called cross-accounts, can't access the secret because the secret hasn't been re-encrypted with the new KMS CMK. You must re-encrypt the secret using the new AWS Key Management Service (AWS KMS) key to retrieve the secret value from the cross-account.

Note: Using the Secrets Manager console to change the encryption key associated with a secret creates a new version of the secret and encrypts it with the new encryption key. For more information, see Encrypting and decrypting secrets.

Resolution

Follow these instructions to re-encrypt the secret with the new KMS CMK key.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

AWS Management Console

1.    Open the Secrets Manager console.

2.    In Secret name, choose your secret.

3.    In Secret value, choose Retrieve secret value, Edit, and then choose Save.

You receive the message "Your secret value has been successfully edited."

AWS CLI

Follow these steps from the source account where the secret resides.

1.    Run the AWS CLI command get-secret-value similar to the following:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --query SecretString --output text

    {"CrossAccount":"DefaultEncryption"}

2.    Create a file named creds.txt.

$ cat creds.txt
         
    {"CrossAccount":"DefaultEncryption"}

3.    Run the AWS CLI update-secret command to re-encrypt the encryption key similar to the following:

$ aws secretsmanager update-secret --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --secret-string file://creds.txt
    {
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:cross-account",
    "Name": "cross-account",
    "VersionId": "f68246e8-1cfb-4c3b-952b-17c9298d3462"
    }
4.    Run the AWS CLI command get-secret-value from the cross-account to similar to the following:
$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --version-stage AWSCURRENT --profile cross-account-user --region us-east-1 --query SecretString --output text

    {"CrossAccount":"DefaultEncryption"}