Description

In our environment we have seen an access denied error using the IAM policy provided by this repo for the external secrets operator:

│ error getting all secrets: AccessDeniedException: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/external-secrets-<ELIDED>/external-secrets-provider-aws is not authorized │
│  to perform: secretsmanager:BatchGetSecretValue because no identity-based policy allows the secretsmanager:BatchGetSecretValue action

When looking at the policy created by this module the BatchGetSecretValue entry is attached to the individual secrets whereas in the upstream documentation that part is applied with ListSecrets against *

While this can be worked around by variable manipulation I believe the default policy should be corrected by moving the BatchGetSecretValue to the same policy statement as ListSecrets as per the documentation.

• ✋ I have searched the open/closed issues and my issue is not listed.

Testing this requires multiple External Secret CRDs to t rigger the batch get secret value behaviour so the existing test module will not exercise that.