Needed some tuning for the policies

jeremydaly / data-api-client

A "DocumentClient" for the Amazon Aurora Serverless Data API

MIT License

439 stars 61 forks source link

Needed some tuning for the policies #41

Closed ghost closed 3 years ago

ghost commented 4 years ago

I'm not sure why but this "Resource": "arn:aws:secretsmanager:{REGION}:{ACCOUNT-ID}:secret:{PATH-TO-SECRET}/*" didn't work while this "Resource": "arn:aws:secretsmanager:{REGION}:{ACCOUNT-ID}:secret:{PATH-TO-SECRET}" did (no slash + asterisk at the end).

jeremydaly commented 4 years ago

I'm not having any issues with these settings. What region are you in?

jaska120 commented 3 years ago

I had the same issue and the solution proposed by yassineim fixed the issue.

I am on eu-west-1 region.

ffxsam commented 3 years ago

@yassineim @jaska120

See this article on AWS: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrdsdataapi.html#amazonrdsdataapi-resources-for-iam-policies

The official recommendation is to use "Resource": "*". Yes, this goes against the concept of least privileged access, but it's what Amazon said to do.

More details here.