
Let's say something like this is being returned.
An error occurred (AccessDeniedException) when calling the ListSecrets operation:
User: arn:aws:sts::123456789012:assumed-role/my-role/my-session is not authorized to perform:
secretsmanager:ListSecrets because no identity-based policy allows the secretsmanager:ListSecrets action
I got this when attempted to List Amazon Web Services (AWS) Secrets from AWS Secrets Manager using Python boto3, for example, something like this.
#!/usr/bin/python3
import boto3
client = boto3.client('secretsmanager')
secrets_dict = client.list_secrets(
Filters = [
{ 'Key': 'name', 'Values': ['my-secret'] }
]
)
print(f"secrets_dict = {secrets_dict}")
Here are the most common reasons Access Denied is returned.
- The resource does not have a Permission Policy that allows a User or Service access to the resource
- The User attempting to access the resource does not have an Identity-Based Permission Policy that allows the user access to the resource
- The Service attempting to access the resource does not have an Resource-Based Permission Policy that allows the service access to the resource
- The User attempting to access the resource Assumed a Role but the Role does not have a Trust Policy that allows the user to assume the role
- The User attempting to access the resource Assumed a Role but the Role does not have a Permission Policy that allows the user to access to the resource
- The Permission Policy associated wtih the resource does not allow certain Actions, such as s3:ListObjects
The user attempting to list secrets may not have a Permission Policy or Trust Policy that allows access list secrets - check out my article Permission Policy vs Trust Policy
The aws iam list-roles command can be used to display the role. In this example, user johndoe is allowed to assume my-role.
~]$ aws iam list-roles --query 'Roles[?RoleName==`my-role`]'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/johndoe"
},
"Action": "sts:AssumeRole"
}
]
}
And then the aws iam list-attached-role-policies command can be used to list the policies attached to the role. In this example, no policies are attached to the role, which is why Access Denied is being returned when attempting to list secrets.
~]$ aws iam list-attached-role-policies --role-name my-role
"AttachedPolicies": []
}
The aws iam attach-role-policy command can be used to attach a policy to the role. This should resolve the Access Denied error.
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite --role-name my-role
Did you find this article helpful?
If so, consider buying me a coffee over at