Home > Mobile >  Receiving error "User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: se
Receiving error "User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: se

Time:02-27

I am trying to execute my code from my ide and connect to aws resources through boto3. I go into the Secrets portal of the aws console. Inside aws secrets manager I find the resource titled my_api where my secrets are stored. I copy that name so that I can access the dict response of values needed. I use the following code in my ide to try and retrieve that dict response:

import boto3

client=boto3.client("secretmanager")
reponse=client.get_secret_value(
secretId="my_api"
)
print(response)

I added that code to a python file inside my ide and ran it in the vscode with the built-in terminal writing: python my_boto3.py and received the following error:

raise error_class(parsed_reponse, operation_name) botocore.exception.ClientError: An error 
occured (AccessDeniedException) when calling the GetSecretValue operation: 
User: arn:aws:iam::11345636234528:user/my_Api is not authorized to perform: 
secretmanager:GetSecretValue on resouce: my_Resource because no identity-based policy allows 
the secretsmanager:GetSecretValue action"

But when I go into my aws to find the associated lambda function and use that same line of code inside the aws code editor it runs fine and prints the results. What is causing the disconnect between my local environment giving that error and aws environment printing the desired results?

Before I was getting this error: Unable to parse config file: /Users/hugo/.aws/config. But I resolved this issue by simply opening the aws config file and copying and pasting the aws_access_key_id and aws_secret_access_key found inside the secret manager for my_api like so:

[default]
region=us-west-2
aws_access_key_id=xxxxxx
aws_secret_access_key=xxxxxx

Any help is appreciated.

Thanks

CodePudding user response:

my_Api does not have secretmanager:GetSecretValue permissions. You can add an inline policy to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

You can replace * with the ARN of the secret to be more secure.

  • Related