AWS Secrets Manger - Always Error even when the policy is correct

Question

I have the following resource policy for my AWS Secrets Manager

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "policyForSomething",
    "Effect" : "Deny",
          "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [ "arn:aws:sts::**********:assumed-role/####/USERG", 
          "arn:aws:sts::**********:assumed-role/####/USER1",
          "arn:aws:sts::**********:assumed-role/####/USER2", 
          "arn:aws:sts::**********:assumed-role/####/USER3", 
          "arn:aws:sts::**********:assumed-role/####/USER4" ]
        }
      },
    "Action" : "secretsmanager:*",
    "Resource" : "arn:aws:secretsmanager:us-west-2:*******:secret:/*"
  }]
}

When I try to check using New Policy wizard, I don't see any error. But when I put it in the Resource Policy area for Secrets Manager, it's always Complaining "This Resource policy contains a syntax error".

Other than the fact that "AWS UI and error messages aren't always helpful" - could anyone help me understanding why this is an issue?

Answer 1

You're required to have one of Principal and NotPrincipal in your resource-based policy. Try using Principal with Allow, or NotPrincipal with Deny.

Also, since you are using a resource-based policy, the Resource automatically and implicitly becomes the secret with your policy. (So you can safely use '*' there)

1. Principal with Allow:

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "policyForSomething",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:sts::**********:assumed-role/####/USERG",
                    "arn:aws:sts::**********:assumed-role/####/USER1",
                    "arn:aws:sts::**********:assumed-role/####/USER2",
                    "arn:aws:sts::**********:assumed-role/####/USER3",
                    "arn:aws:sts::**********:assumed-role/####/USER4"
                ]
            },
            "Action": "secretsmanager:*",
            "Resource": "*"
        }]
    }
   

2. NotPrincipal with Deny:

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "policyForSomething",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:sts::**********:assumed-role/####/USERG",
                    "arn:aws:sts::**********:assumed-role/####/USER1",
                    "arn:aws:sts::**********:assumed-role/####/USER2",
                    "arn:aws:sts::**********:assumed-role/####/USER3",
                    "arn:aws:sts::**********:assumed-role/####/USER4"
                ]
            },
            "Action": "secretsmanager:*",
            "Resource": "*"
        }]
    }
   

Reference:

• https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_grammar.html