How do I fix AWS Secrets Manager access issues with a custom IAM role in Spacelift worker pools?

Last updated: September 15, 2025

Context

When deploying a Spacelift worker pool to AWS using a custom IAM role (by setting create_iam_role = false), workers may fail to start due to insufficient permissions to access secrets in AWS Secrets Manager. This typically manifests as an AccessDeniedException when calling the GetSecretValue operation.

Answer

When using a custom IAM role for your Spacelift worker pool, you need to manually grant the necessary permissions to access secrets in AWS Secrets Manager. Here's how to resolve this issue:

  1. Ensure your custom IAM role has permissions to:

    • Read access to the specific secrets in AWS Secrets Manager

    • KMS decrypt permissions if you're using a customer-managed KMS key

  2. Add the following permissions to your custom IAM role policy: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:*:*:secret:sp5ft-*"
        }
    ]
}

When configuring the worker pool module, ensure you have the following settings:

create_iam_role = false
custom_iam_role_name = "your-custom-role-name"

Source: Spacelift EC2 Worker Pool Custom IAM Role Example