How can you securely grant cross-account access to a secret in Secrets Manager?

Granting cross-account access to a Secrets Manager secret is done by using AWS access controls that attach to the secret or to a role, plus the encryption key policy if the secret is CMK-encrypted. A resource-based policy on the secret can explicitly allow another account’s principals to perform secret actions such as DescribeSecret or GetSecretValue. Alternatively, you can create a cross-account IAM role in the consuming account and set a trust policy that allows your account to assume that role; then grant that role the Secrets Manager permissions it needs. If the secret is encrypted with a customer-managed KMS key, you must also update the KMS key policy to allow the cross-account principal (or the assumed role) to use the key for decryption (and any needed encryption/re-encryption) so access actually works. This approach keeps the secret secure, auditable, and under centralized control, following least-privilege principles. Sharing the secret’s ARN in plain text, copying the secret to another account, or using an S3 bucket policy are not appropriate security mechanisms for cross-account secret access.