我们 AWS 账户中的 IAM 用户正尝试通过 AWS CLI 从 Secrets Manager 获取特定秘密,但他们无法这样做,尽管他们应该具有所需的权限:
aws secretsmanager get-secret-value --secret-id "config/my/secret"
失败并显示错误不允许访问 kms。 我们用默认加密密钥对于加密秘密和密钥策略(由AWS管理)来说,这对我来说看起来很合理:
"Statement": [
{
"Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "<REDACTED>",
"kms:ViaService": "secretsmanager.eu-west-1.amazonaws.com"
}
}
},
{
"Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "<redacted>"
},
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com"
}
}
}
在KMS 密钥的权限他们说你需要
- kms:生成数据密钥
- kms:解密
这些都是由关键政策提供的。
用户已附加 IAM 策略,以通过 API 授予他们 Secrets Manager 权限,如下所述:https://curiousprogrammer.net/posts/2022-02-16-aws-secrets-manager-least-privilege#_2_create_the_iam_policy
我查看了 Cloudtrail,没有发现任何有用的信息,只有一条“未知错误”消息:
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "GetSecretValue",
"awsRegion": "eu-west-1",
"userAgent": "aws-cli/2.4.18 Python/3.9.10 Darwin/21.2.0 source/arm64 prompt/off command/secretsmanager.get-secret-value",
"errorCode": "InternalFailure",
"errorMessage": "An unknown error occurred",
"requestParameters": {
"secretId": "config/my/secret"
},
我如何才能知道发生了什么以及需要哪些额外的权限?
答案1
这是由我们的强制实施 MFA 政策 这部分尤其:
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
由于 aws cli 通常不使用 MFA,因此应用了该策略并且“拒绝”规则覆盖了密钥策略中规定的其他工作权限。
解决方案是使用临时会话令牌: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
我在我的博客上详细讨论了这一点:https://curiousprogrammer.net/posts/2022-02-16-aws-secrets-manager-least-privilege#_update_2022_02_22_the_perils_of_mfa