Troubleshooting general issues - AWS Secrets Manager

Troubleshooting general issues

Use the information here to help you diagnose and fix access-denied or other common issues that you might encounter when you're working with AWS Secrets Manager.

I receive an "access denied" message when I send a request to AWS Secrets Manager.

  • Verify that you have permissions to call the operation and resource you requested. An administrator must grant permissions by attaching an IAM policy to your IAM user, or to a group that you're a member of. If the policy statements that grant those permissions include any conditions, such as time-of-day or IP address restrictions, you also must meet those requirements when you send the request. For information about viewing or modifying policies for an IAM user, group, or role, see Working with Policies in the IAM User Guide.

  • If you're signing API requests manually, without using the AWS SDKs, verify you correctly signed the request.

I receive an "access denied" message when I send a request with temporary security credentials.

Changes I make aren't always immediately visible.

As a service accessed through computers in data centers around the world, AWS Secrets Manager uses a distributed computing model called eventual consistency. Any change that you make in Secrets Manager (or other AWS services) takes time to become visible from all possible endpoints. Some of the delay results from the time it takes to send the data from server to server, from replication zone to replication zone, and from region to region around the world. Secrets Manager also uses caching to improve performance, but in some cases this can add time. The change might not be visible until the previously cached data times out.

Design your global applications to account for these potential delays. Also, ensure that they work as expected, even when a change made in one location isn't instantly visible at another.

For more information about how some other AWS services are affected by this, consult the following resources:

I receive a “cannot generate a data key with an asymmetric CMK” message when creating a secret.

Verify you are using a symmetric customer master key (CMK) instead of an asymmetric CMK. Secrets Manager uses a symmetric customer master key (CMK) associated with a secret to generate a data key for each secret value. Secrets Manager also uses the CMK to decrypt that data key when it needs to decrypt the encrypted secret value. You can track the requests and responses in AWS CloudTrail events, Amazon CloudWatch Logs, and audit trails. You cannot use an asymmetric CMK at this time.