Which are the required permission to view/modify an AWS secretsmanager secret?

Question

I'm trying to allow some users to modify some secrets on AWS SecretsManager that are encrypted by using a KMS key, but I'm receiving an error like:

An error occurred (AccessDeniedException) when calling the PutSecretValue operation: Access to KMS is not allowed

So... Which permissions are required to perform this action?

Answer 1

Probably the Policy is not complete and requires a permission such as kms:GenerateDataKey.

This is the policy required (read permissions separated from write permission by an empty line):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SecretsManager",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",

                "secretsmanager:PutSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:RestoreSecret",
                "secretsmanager:UpdateSecretVersionStage"
            ],
            "Resource": [
                "arn:aws:secretsmanager:::secret:example",
                "arn:aws:secretsmanager:::secret:example-*"
            ]
        },
        {
            "Sid": "KMS",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",

                "kms:ReEncrypt*",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:CreateGrant"
            ],
            "Resource": [
                "arn:aws:kms:::key/<redacted-key-id>",
                "arn:aws:kms:::alias/example"
            ]
        }
    ]
}