QloudX Staging

QloudX Staging

  • Home
  • What We Do
          • Digital Transformation & Cloud Journey

            We help businesses across the globe to achieve their true digital potential, using cloud technology as an enabler

          • INDUSTRIES/DOMAINS

          • Freight Forwarding

            FreightTech & LogTech Solutions
          • Retail

            Data Driven Solutions

        • OUR EXPERT AREAS

          • Cloud Migration

            Migrate, manage and modernize
          • Devops

            Transform how you work
          • Data & Analytics

            From raw data to insights
          • Cloud Native Development

            Supercharge your software
          • Managed Services

            Keep your environments optimized and secure

        • OTHER THINGS WE DO

          • AI-ML, Blockchain & Emerging Tech
          • Application Modernization
          • Enterprise Integration Platform
          • Serverless Computing
          • Cargowise in the Cloud
          • Well-Architected Solutions
          • Mobile Apps
          • Disaster Recovery as a Service
          • Team Augmentation
  • Resources
    • Case Studies
    • Blog
  • About Us
  • Careers

Sharing Secrets in Secrets Manager with Other AWS Accounts

Sharing Secrets in Secrets Manager with Other AWS Accounts


Say you have a secret stored in AWS Secrets Manager in Account A & you need to make this secret available for use by an IAM user in Account B. The secret could be anything you want to keep hidden, like database credentials, API keys, etc. This article explains the steps involved in allowing cross-account access to that secret.

This can be achieved in 3 steps. First, we let the user access the secret by attaching a policy to the IAM user. But since the secret is encrypted, the user also needs permission to decrypt it. We’ll include this in the policy as well. Next, we attach a policy to CMK to allow the user to decrypt the secret using it. Then we attach a policy to the secret itself to let the user fetch it across accounts.


Start by attaching an inline policy to the user in Account B:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "ARN of the Secret in Account A"
        },
        {
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource":"ARN of the CMK in Account A"
        }
    ]
}


Next, edit the CMK’s policy & add a statement to it:


{
    "Effect": "Allow",
    "Principal": {
        "AWS": "ARN of the IAM User in Account B"
    },
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "ARN of this CMK"
}


Finally, add this policy to the secret in Account A:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "ARN of the IAM User in Account B"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}


That’s all! The user should now be able to fetch the secret. You can test this via the AWS CLI using “aws secretsmanager get-secret-value”.

Harish KM is a Cloud Evangelist & a Full Stack Engineer at QloudX. He is very passionate about cloud-native solutions & using the best tools for his projects. With 10+ Cloud & IT certifications, he is an expert in a multitude of application languages & is up to date with all new offerings & services from cloud providers, especially AWS.

aws AWS Secrets Manager cross-account IAM Policy KMS security

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Post navigation

A Simple 3 Step Guide to Cross-Account Access in AWS
Use git-remote-codecommit to Clone AWS CodeCommit Repositories without Creating IAM Users

COMPANY

  • About Us
  • Contact Us
  • Locations
  • Privacy Policy

RESOURCES

  • Case Studies
  • Blog

Careers

  • Join a Winning Team

Follow Us

linkdin  Linkedin
A SYSTEMS+ Group Company
© 2025 QloudX Staging - all Rights Reserved
Cookie Consent
Qloudx takes your privacy and security seriously.
We use cookies to collect information about you.

We use this information:
1. to give you a better experience (functional)
2. to count the pages you visit (statistics)
3. to serve you relevant promotions (marketing)

Click “ACCEPT” to give us your consent to use cookies for all these purposes.

Read more about how we use cookies to collect personal data: Privacy Policy

OVERVIEW ACCEPT REJECT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT