I am unable to access an AWS Secrets Manager secret from another KMS account after updating the encryption key, and receive an error message. How can I resolve this?

Last updated: 2019-07-02

I attempted to retrieve or access an AWS Secrets Manager secret and receive an error similar to one of the following:

"Access to KMS is not allowed", "InternalFailure", or "An unknown error occurred".  

Short Description

Changing the encryption key associated with a Secrets Manager secret does not re-encrypt the previous versions of the secret with the new encryption key. This means that external accounts, also called "cross accounts," can't access the key because they don't have the updated encrypted key value. You must re-encrypt the secret using the modified AWS Key Management Service (AWS KMS) key to retrieve the secret value. For more information, see Encrypting and Decrypting Secrets.

Resolution

Follow these instructions to re-encrypt the encryption key.

AWS Management Console

1.    Open the Secrets Manager console.

2.    In Secret name, choose your secret.

3.    In Secret value, choose Retrieve secret value, Edit, and then choose Save.

You receive the message "Your secret value has been successfully edited."

AWS Command Line Interface (AWS CLI)

1.    Create a JSON file named creds.json. In this example, {"CrossAccount":"DefaultEncryption"} is your secret value.

$ cat creds.json 
{"CrossAccount":"DefaultEncryption"}

2.    Run the AWS CLI update-secret command to re-encrypt the encryption key similar to the following:

$ aws secretsmanager update-secret --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --secret-string file://creds.json
    {
    "ARN": "arn:aws:secretsmanager:us-east-1:123456789012:cross-account",
    "Name": "cross-account",
    "VersionId": "f68246e8-1cfb-4c3b-952b-17c9298d3462"
    }

3.    Run the AWS CLI command get-secret-value similar to the following:  

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:123456789012:secret:cross-account --version-stage AWSCURRENT --profile cross-account-user --region us-east-1 --query SecretString --output text

    {"CrossAccount":"DefaultEncryption"}