The customer upgraded to CSB for AWS v1.13 and enable the AWS Secrets Manager for admin password on RDS Mysql plan, but getting below error message when creating the new Mysql DB. 

Error: creating RDS DB Instance (csb-mysql-####): operation error RDS: CreateDBInstance, https response error StatusCode: 400, RequestID: ####, KMSKeyNotAccessibleFault: The specified KMS key [null] either doesn't exist, isn't enabled, or isn't accessible by the current user. Either specify a different key or access the key with a different user.

This is due to the IAM policies for both KSM and SecretsManager permissions are not added.

The feature was introduced in the CSB for AWS v1.13.0, Release Note details as below -
Enabling AWS Secrets Manager for admin password on MySQL, PostgreSQL and MSSQL - newly introduced properties use_managed_admin_password and rotate_admin_password_after enable the admin password for the RDS to be generated and managed by AWS Secrets Manager, including automatic rotation.

To enabling this feature, the customer need to ensure all the IAM Policies mentioned in the Prerequisites for Installing Cloud Service Broker for AWS has been added.

To fix this issue, the customer need to update below IAM policies for the AWS account in the AWS console -

            "kms:GenerateDataKey",
            "kms:Encrypt",
            "kms:DescribeKey",
            "kms:Decrypt",
            "kms:CreateGrant",
            "kms:RevokeGrant",
            "secretsmanager:CancelRotateSecret",
            "secretsmanager:CreateSecret",
            "secretsmanager:DeleteSecret",
            "secretsmanager:DescribeSecret",
            "secretsmanager:GetSecretValue",
            "secretsmanager:PutSecretValue",
            "secretsmanager:RotateSecret",
            "secretsmanager:TagResource",
            "secretsmanager:UpdateSecret",
            "secretsmanager:UntagResource",

Related post - https://repost.aws/questions/QUW-U5CWKaQGOgmxIY9Q-Npw/the-specified-kms-key-null-either-doesn-t-exist in the AWS forum.