Skip to content

fix: Correct IAM policy BatchGetSecretValue in external secrets #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Correct IAM policy BatchGetSecretValue in external secrets #476

wants to merge 1 commit into from

Conversation

@bdellegrazie
Copy link

@bdellegrazie bdellegrazie commented Oct 3, 2025
edited
Loading

What does this PR do?

This fixes external-secrets use of BatchGetSecretValue by correcting the IAM policy in accordance with the external-secrets documentation and AWS docs.

IAM permission secretsmanager:BatchGetSecretValue should be against resource * rather than the individual secret.

Motivation

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I ran pre-commit run -a with this PR

For Moderators

  • E2E Test successfully complete before merge?

@bdellegrazie
fix: correct IAM policy BatchGetSecretValue in external secrets
e01963a 
In accordance with the external-secrets documentation here:
https://external-secrets.io/v0.20.1/provider/aws-secrets-manager/#iam-policy
and AWS docs here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch
secretsmanager:BatchGetSecretValue should be against resource "*" rather
than the individual secret.

closes aws-ia#475
@bdellegrazie bdellegrazie requested a review from a team as a code owner October 3, 2025 07:02
@bdellegrazie bdellegrazie changed the title fix: correct IAM policy BatchGetSecretValue in external secrets Correct IAM policy BatchGetSecretValue in external secrets Oct 3, 2025
@bdellegrazie bdellegrazie changed the title Correct IAM policy BatchGetSecretValue in external secrets fix: Correct IAM policy BatchGetSecretValue in external secrets Oct 3, 2025
@github-actions
Copy link

github-actions bot commented Nov 3, 2025

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Nov 3, 2025
@bdellegrazie
Copy link
Author

bdellegrazie commented Nov 3, 2025

Not stale!

@github-actions github-actions bot removed the stale label Nov 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

external-secrets IAM policy puts BatchGetSecretValue in wrong location

1 participant

@bdellegrazie