How do I share AWS Secrets Manager secrets between AWS accounts?

Last updated: 2022-07-20

I want to share my AWS Secrets Manager secret with another AWS account. How can I do this?

Short description

In this example, the Security_Account user manages your credentials in account A, and the Dev_Account user is used by your developers in account B. An AWS Identity and Access Management (IAM) user or an application running in the Amazon Elastic Compute Cloud (Amazon EC2) instance of your Dev_Account retrieves secrets in the Security_Account user account. You can use a resource-based policy for a secret, which allows you to attach a permissions policy to the secret. You can use this policy to allow an IAM entity from your Dev_Account to access the secret in your Security_Account.

A secret named DevSecret in your Security_Account (account A) is encrypted using an AWS Key Management Service (AWS KMS) key DevSecretKMS. Then, the secret is shared with your Dev_Account (account B).

Note: You can't use the AWS KMS default key for the account. The AWS KMS default key is created, managed, and used on your behalf by an AWS service that runs on AWS Key Management Service. The AWS KMS default key is unique to your AWS account and Region. Only the service that created the AWS managed key can use it. For more information, see AWS KMS keys.

Resolution

Follow these steps in the Security_Account (account A), in the Region where your secret is:

1.    If you don't have a secret, then follow the instructions for creating a secret. Be sure to specify the Amazon Resource Name (ARN) in the AWS KMS key ID parameter for the secret.

2.    If you have an existing secret using an alias, then follow the instructions for modifying a secret. Be sure to specify the AWS KMS key ARN in the AWS KMS key ID parameter for the secret.

Note: You must use the full AWS KMS key ARN to access a secret from another AWS account.

3.    Grant permissions in the key policy of the AWS KMS key. Secrets Manager encrypts secrets by default. Identities that retrieve these secrets require access to decrypt. Because DevSecret is encrypted using DevSecretKMS, you must change the key policy by adding the following permissions:

Note: Replace your-region with your AWS Region.

{
  "Sid": "AllowUseOfTheKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"
  },
  "Action": [
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:ViaService": "secretsmanager.your-region.amazonaws.com"
    },
    "StringLike": {
      "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret-??????"
    }
  }
}

This policy grants SecretsUser in the Dev_Account (account B) the permission to use DevSecretKMS in the Security_Account (account A). This policy also grants the SecretsUser the ability to use the decrypt and describe-key commands with DevSecretKMS. 4) Allow the IAM entity permission to access the secret. From the Security_Account, attach a resource-based policy that grants permission for the SecretsUser to retrieve DevSecret.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

Follow these steps in the Dev_Account (account B):

1.    Attach permissions to the IAM identity that will retrieve the secret. Use a policy similar to the following:

Note: Replace your-region with your AWS Region.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetSecretValue",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret-??????"
      ]
    },
    {
      "Sid": "AllowKMSDecrypt",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:your-region:Security_Account:key/DevSecretKMS_id"
      ]
    }
  ]
}

For the IAM user SecretsUser in Dev_Account to retrieve the secret, the SecretsUser must have permission to secretsmanager:GetSecretValue. The AWS decrypt permissions are required for SecretsUser, because DevSecret is encrypted using the DevSecretKey.

2.    Retrieve the secret as SecretsUser, similar to the following:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:your-region:Security_Account:secret:DevSecret --version-stage AWSCURRENT --region your-region

Note: Replace your-region with the AWS Region that the secret is in.

You can use these instructions for all IAM entities. For example, for an Amazon EC2 instance profile or a role, replace or add the ARN in the resource policy and edit the permissions attached to the IAM entity.