Grant Secrets Hub permissions when using custom encryption key

This topic describes how to grant Secrets Hub permissions to sync secrets in AWS Secrets Manager when you use a custom encryption key to encrypt your secrets in AWS Key Management Service (KMS).

This only applies to custom encryption keys, not to AWS default encryption keys.

If you are using custom encryption keys for secrets stored on the AWS Secrets Manager target, you need to give Secrets Hub access to these keys in order to regularly update these secrets from PAM.

For each custom encryption key that is used for a secret that is synced by Secrets Hub, do the following:
Add the Secrets Hub IAM role to the KMS user under your regional KMS - KMS > Custom managed keys > [specific key] > Key users - and grant it the GenerateDataKey permission. For details, see AWS documentation.