Attach a permissions policy to an Amazon Secrets Manager secret - Amazon Secrets Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Attach a permissions policy to an Amazon Secrets Manager secret

In a resource-based policy, you specify who can access the secret and the actions they can perform on the secret. You can use resource-based policies to:

  • Grant access to a single secret to multiple users and roles.

  • Grant access to users or roles in other Amazon accounts.

See Permissions policy examples for Amazon Secrets Manager.

When you attach a resource-based policy to a secret in the console, Secrets Manager uses the automated reasoning engine Zelkova and the API ValidateResourcePolicy to prevent you from granting a wide range of IAM principals access to your secrets. Alternatively, you can call the PutResourcePolicy API with the BlockPublicPolicy parameter from the CLI or SDK.

To view, change, or delete the resource policy for a secret (console)
  1. Open the Secrets Manager console at https://console.amazonaws.cn/secretsmanager/.

  2. From the list of secrets, choose your secret.

  3. On the secret details page, on the Overview tab, in the Resource permissions section, choose Edit permissions.

  4. In the code field, do one of the following, and then choose Save:

    • To attach or modify a resource policy, enter the policy.

    • To delete the policy, clear the code field.

Amazon CLI

Example Retrieve a resource policy

The following get-resource-policy example retrieves the resource-based policy attached to a secret.

aws secretsmanager get-resource-policy \ --secret-id MyTestSecret
Example Delete a resource policy

The following delete-resource-policy example deletes the resource-based policy attached to a secret.

aws secretsmanager delete-resource-policy \ --secret-id MyTestSecret
Example Add a resource policy

The following put-resource-policy example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading Amazon CLI parameters from a file in the Amazon CLI User Guide.

aws secretsmanager put-resource-policy \ --secret-id MyTestSecret \ --resource-policy file://mypolicy.json \ --block-public-policy

Contents of mypolicy.json:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }

Amazon SDK

To retrieve the policy attached to a secret, use GetResourcePolicy .

To delete a policy attached to a secret, use DeleteResourcePolicy.

To attach a policy to a secret, use PutResourcePolicy. If there is already a policy attached, the command replaces it with the new policy. The policy must be formatted as JSON structured text. See JSON policy document structure. Use the Permissions policy examples for Amazon Secrets Manager to get started writing your policy.

For more information, see Amazon SDKs.