Skip to content

fix: Correct IAM policy BatchGetSecretValue in external secrets #476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Correct IAM policy BatchGetSecretValue in external secrets #476

wants to merge 1 commit into from

Conversation

bdellegrazie
Copy link

@bdellegrazie bdellegrazie commented Oct 3, 2025
edited
Loading

What does this PR do?

This fixes external-secrets use of BatchGetSecretValue by correcting the IAM policy in accordance with the external-secrets documentation and AWS docs.

IAM permission secretsmanager:BatchGetSecretValue should be against resource * rather than the individual secret.

Motivation

More

  • Yes, I have tested the PR using my local account setup (Provide any test evidence report under Additional Notes)
  • Yes, I ran pre-commit run -a with this PR

For Moderators

  • E2E Test successfully complete before merge?

@bdellegrazie
fix: correct IAM policy BatchGetSecretValue in external secrets
e01963a 
In accordance with the external-secrets documentation here:
https://external-secrets.io/v0.20.1/provider/aws-secrets-manager/#iam-policy
and AWS docs here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch
secretsmanager:BatchGetSecretValue should be against resource "*" rather
than the individual secret.

closes aws-ia#475
@bdellegrazie bdellegrazie requested a review from a team as a code owner October 3, 2025 07:02
@bdellegrazie bdellegrazie changed the title fix: correct IAM policy BatchGetSecretValue in external secrets Correct IAM policy BatchGetSecretValue in external secrets Oct 3, 2025
@bdellegrazie bdellegrazie changed the title Correct IAM policy BatchGetSecretValue in external secrets fix: Correct IAM policy BatchGetSecretValue in external secrets Oct 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

external-secrets IAM policy puts BatchGetSecretValue in wrong location
1 participant
@bdellegrazie