I want to share my AWS Secrets Manager secret with another AWS account. How can I do this?

In this example, the Security_Account user manages your credentials, and the Dev_Account user is used by your developers. An AWS Identity and Access Management (IAM) user or an application running in the Amazon Elastic Compute Cloud (Amazon EC2) instance of your Dev_Account retrieves secrets in the Security_Account user account. You can use a resource-based policy for a secret, which allows you to attach a permissions policy to the secret. You can use this policy to allow an IAM entity from your Dev_Account to access the secret in your Security_Account.

A secret named DevSecret in your Security_Account is encrypted using a customer master key (CMK) DevSecretCMK. Then the secret is shared with your Dev_Account.

Note: You can't use the CMK default key for the account. The CMK default key is created, managed, and used on your behalf by an AWS service that is integrated with AWS Key Management Service (KMS). The CMK default key is unique to your AWS account and Region. Only the service that created the AWS managed CMK can use it. For more information, see Customer Master Keys.

Important: Before you begin, you must have the AWS Command Line Interface (AWS CLI) installed and configured.

1.    Attach permissions to the IAM identity similar to the following:

Note: Replace your-region with your AWS Region.

{
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect": "Allow",
          "Action": "secretsmanager:GetSecretValue",
          "Resource": " arn:aws:secretsmanager:us-west-2:Security_Account:secret:DevSecret"
        },
        {
          "Effect": "Allow",
          "Action": "kms:Decrypt",
          "Resource": "arn:aws:kms:your-region:Security_Account:key/DevSecretCMK"
        }

      ]
}

The IAM user SecretsUser in Dev_Account retrieves the secret. SecretsUser must have permission to secretsmanager:GetSecretValue. The AWS decrypt permissions are required for SecretsUser, because DevSecret is encrypted using the DevSecretKey.

2.    Grant permissions in the key policy of the CMK. Secrets Manager encrypts secrets by default. Identities that retrieve these secrets require access to decrypt. Because DevSecret is encrypted using DevSecretCMK, you must update the key policy by adding the following permissions:

{
       "Sid": "AllowUseOfTheKey",
       "Effect": "Allow",
       "Principal": 
               {"AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"},
       "Action": [
       "kms:Decrypt",
       "kms:DescribeKey"
        ],
       "Resource": "arn:aws:kms:your-region:Security_Account:key/DevSecretCMK"
}

This policy grants SecretsUser the permission to use DevSecretCMK. This policy also grants the SecretsUser the ability to use the decrypt and describe-key commands with DevSecretCMK.

3.    Allow the IAM entity permission to access the secret. From the Security_Account, attach a resource-based policy that grants permission for the SecretsUser to retrieve DevSecret. You can copy the following policy to the -ResourcePolicySecret.json file to grant permission.

Note: Currently this resource-based policy can only be attached to a secret using the AWS CLI or an AWS SDK.

{

  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Effect": "Allow",
       "Principal": {"AWS": "arn:aws:iam::Dev_Account:user/SecretsUser"},
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {"ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT"}}
    }
 ]
}

4.    Attach the resource-based policy to DevSecret:

$aws secretsmanager put-resource-policy --secret-id DevSecret --resource-policy file://ResourcePolicySecret.json

5.    Retrieve the secret as SecretsUser:

$aws secretsmanager get-secret-value --secret-id 
arn:aws:secretsmanager:us-west-2:Security_Account:secret:DevSecret 
--version-stage AWSCURRENT

Note: You can use these instructions for all IAM entities. For example, for an Amazon EC2 instance profile or a role, replace or add the Amazon Resource Name (ARN) in the resource policy and edit the permissions attached to the IAM entity.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-29