GetSecretValueCommand does not respect ARN Region

[deesejohn]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

GetSecretValueCommand does not respect the region from the ARN provided to the SecretId parameter. It appears to only respect the client's set region.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-secrets-manager@3.828.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

lambda runtime nodejs20.x

Reproduction Steps

1. Create a secret in Account A, Region us-west-2
2. Create an IAM policy allowing Acount B to access to the secret in Account A
3. Create a lambda in Account B, Region us-east-1 that retrieves the secret from Account A

// The following Example fails
const secretsClient = new SecretsManagerClient({
  region: 'us-east-1',
});
const response = secretsClient.send(
  new GetSecretValueCommand({
    SecretId: `arn:aws:secretsmanager:us-west-2:${ACCOUNT_ID}:secret:/example`
  }),
);

// The following Example works
const secretsClient = new SecretsManagerClient({
  region: 'us-west-2',
});
const response = secretsClient.send(
  new GetSecretValueCommand({
    SecretId: `arn:aws:secretsmanager:us-west-2:${ACCOUNT_ID}:secret:/example`
  }),
);

Observed Behavior

AccessDeniedException: User: arn:aws:sts::$ACCOUNT_ID:assumed-role/example is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:$ACCOUNT_ID:secret:/example because no resource-based policy allows the secretsmanager:GetSecretValue action

Expected Behavior

The secret value is returned

Possible Solution

No response

Additional Information/Context

No response

[aBurmeseDev]

Hi @deesejohn - thanks for checking in.

GetSecretValueCommand does not respect the region from the ARN provided to the SecretId parameter.

Are you trying to retrieve secret from another account in different region? You should be able to do that using ARN but looking at the error, you might need to double check/update IAM policy.

Here's what you need to do: create a policy to allow the action AssumeRole in IAM, attach the policy to your IAM user, update the trust policy for the role to include your IAM user.

[deesejohn]

@aBurmeseDev I have updated the "Reproduction Steps" for clarity.

Are you trying to retrieve secret from another account in different region?

Yes, and it isn't an IAM policy issue. If I change the client's region to match the region from the ARN, then everything works. If I use a different default region in the client, then pass an ARN to GetSecretValueCommand, the region from the ARN is does not factor into the resulting AWS api call. Instead, it uses the region set at the client. Is this intended?

[aBurmeseDev]

Yes here's order of precedence for region for your reference: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-region.html#setting-region-order-of-precedence

[deesejohn]

Thank you for the documentation, I didn't realize that the ARN's region wouldn't be considered, that is my misunderstanding. Thank you for the help.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.