Permissions reference for Amazon Secrets Manager
To see the elements that make up a permissions policy, see JSON policy document structure and IAM JSON policy elements reference.
To get started writing your own permissions policy, see Permissions policy examples for Amazon Secrets Manager.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Secrets Manager actions
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| BatchGetSecretValue | Grants permission to retrieve and decrypt a list of secrets | List | |||
| CancelRotateSecret | Grants permission to cancel an in-progress secret rotation | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| CreateSecret | Grants permission to create a secret that stores encrypted data that can be queried and rotated | Write | |||
|
secretsmanager:ResourceTag/tag-key |
|||||
| DeleteResourcePolicy | Grants permission to delete the resource policy attached to a secret | Permissions management | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| DeleteSecret | Grants permission to delete a secret | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn secretsmanager:RecoveryWindowInDays secretsmanager:ForceDeleteWithoutRecovery |
|||||
| DescribeSecret | Grants permission to retrieve the metadata about a secret, but not the encrypted data | Read | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| GetRandomPassword | Grants permission to generate a random string for use in password creation | Read | |||
| GetResourcePolicy | Grants permission to get the resource policy attached to a secret | Read | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| GetSecretValue | Grants permission to retrieve and decrypt the encrypted data | Read | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| ListSecretVersionIds | Grants permission to list the available versions of a secret | Read | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| ListSecrets | Grants permission to list the available secrets | List | |||
| PutResourcePolicy | Grants permission to attach a resource policy to a secret | Permissions management | |||
|
secretsmanager:resource/AllowRotationLambdaArn secretsmanager:ResourceTag/tag-key |
|||||
| PutSecretValue | Grants permission to create a new version of the secret with new encrypted data | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| RemoveRegionsFromReplication | Grants permission to remove Regions from replication | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| ReplicateSecretToRegions | Grants permission to convert an existing secret to a multi-Region secret and begin replicating the secret to a list of new Regions | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn secretsmanager:ResourceTag/tag-key secretsmanager:SecretPrimaryRegion |
|||||
| RestoreSecret | Grants permission to cancel deletion of a secret | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| RotateSecret | Grants permission to start rotation of a secret | Write | |||
|
secretsmanager:RotationLambdaARN secretsmanager:resource/AllowRotationLambdaArn secretsmanager:ResourceTag/tag-key secretsmanager:SecretPrimaryRegion |
|||||
| StopReplicationToReplica | Grants permission to remove the secret from replication and promote the secret to a regional secret in the replica Region | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| TagResource | Grants permission to add tags to a secret | Tagging | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| UntagResource | Grants permission to remove tags from a secret | Tagging | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| UpdateSecret | Grants permission to update a secret with new metadata or with a new version of the encrypted data | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| UpdateSecretVersionStage | Grants permission to move a stage from one secret to another | Write | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
|||||
| ValidateResourcePolicy | Grants permission to validate a resource policy before attaching a policy | Permissions management | |||
|
secretsmanager:resource/AllowRotationLambdaArn |
Secrets Manager resources
| Resource types | ARN | Condition keys |
|---|---|---|
| Secret |
arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}
|
Secrets Manager constructs the last part of the secret ARN by appending a dash and six random alphanumeric characters at the end of the secret name. If you delete a secret and then recreate another with the same name, this formatting helps ensure that individuals with permissions to the original secret don't automatically get access to the new secret because Secrets Manager generates six new random characters.
You can find the ARN for a secret in the Secrets Manager console on the secret details page or by
calling DescribeSecret.
Condition keys
If you include string conditions from the following table in your permissions policy,
callers to Secrets Manager must pass the matching parameter or they are denied access. To avoid
denying callers for a missing parameter, add IfExists to the end of the
condition operator name, for example StringLikeIfExists. For more
information, see IAM JSON policy elements: Condition operators.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by a key that is present in the request the user makes to the Secrets Manager service | String |
| aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
| aws:TagKeys | Filters access by the list of all the tag key names present in the request the user makes to the Secrets Manager service | ArrayOfString |
| secretsmanager:AddReplicaRegions | Filters access by the list of Regions in which to replicate the secret | ArrayOfString |
| secretsmanager:BlockPublicPolicy | Filters access by whether the resource policy blocks broad Amazon Web Services account access | Bool |
| secretsmanager:Description | Filters access by the description text in the request | String |
| secretsmanager:ForceDeleteWithoutRecovery | Filters access by whether the secret is to be deleted immediately without any recovery window | Bool |
| secretsmanager:ForceOverwriteReplicaSecret | Filters access by whether to overwrite a secret with the same name in the destination Region | Bool |
| secretsmanager:KmsKeyId | Filters access by the ARN of the KMS key in the request | String |
| secretsmanager:ModifyRotationRules | Filters access by whether the rotation rules of the secret are to be modified | Bool |
| secretsmanager:Name | Filters access by the friendly name of the secret in the request | String |
| secretsmanager:RecoveryWindowInDays | Filters access by the number of days that Secrets Manager waits before it can delete the secret | Numeric |
| secretsmanager:ResourceTag/tag-key | Filters access by a tag key and value pair | String |
| secretsmanager:RotateImmediately | Filters access by whether the secret is to be rotated immediately | Bool |
| secretsmanager:RotationLambdaARN | Filters access by the ARN of the rotation Lambda function in the request | ARN |
| secretsmanager:SecretId | Filters access by the SecretID value in the request | ARN |
| secretsmanager:SecretPrimaryRegion | Filters access by the primary Region in which the secret is created | String |
| secretsmanager:VersionId | Filters access by the unique identifier of the version of the secret in the request | String |
| secretsmanager:VersionStage | Filters access by the list of version stages in the request | String |
| secretsmanager:resource/AllowRotationLambdaArn | Filters access by the ARN of the rotation Lambda function associated with the secret | ARN |
Block broad access to secrets with
BlockPublicPolicy condition
In identity policies that allow the action PutResourcePolicy, we
recommend you use BlockPublicPolicy: true. This condition means that users
can only attach a resource policy to a secret if the policy doesn't allow broad access.
Secrets Manager uses Zelkova automated reasoning to analyze resource policies for broad access.
For more information about Zelkova, see How Amazon uses automated reasoning to help you achieve security at scale
The following example shows how to use BlockPublicPolicy.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "secretsmanager:PutResourcePolicy", "Resource": "SecretId", "Condition": { "Bool": { "secretsmanager:BlockPublicPolicy": "true" } } } }
IP address conditions
Use caution when you specify the IP address condition operators or the aws:SourceIp condition key in a
policy statement that allows or denies access to Secrets Manager. For example, if you attach a policy
that restricts Amazon actions to requests from your corporate network IP address range to a
secret, then your requests as an IAM user invoking the request from the corporate network
work as expected. However, if you enable other services to access the secret on your behalf,
such as when you enable rotation with a Lambda function, that function calls the Secrets Manager
operations from an Amazon-internal address space. Requests impacted by the policy with the IP
address filter fail.
Also, the aws:sourceIP condition key is less effective when the
request comes from an Amazon VPC endpoint. To restrict requests to a specific VPC endpoint, use
VPC endpoint conditions.
VPC endpoint conditions
To allow or deny access to requests from a particular VPC or VPC endpoint, use
aws:SourceVpc to limit access to requests from the specified VPC or aws:SourceVpce to limit access to requests from the specified VPC
endpoint. See Example: Permissions and VPCs.
-
aws:SourceVpclimits access to requests from the specified VPC. -
aws:SourceVpcelimits access to requests from the specified VPC endpoint.
If you use these condition keys in a resource policy statement that allows or denies access to Secrets Manager secrets, you can inadvertently deny access to services that use Secrets Manager to access secrets on your behalf. Only some Amazon services can run with an endpoint within your VPC. If you restrict requests for a secret to a VPC or VPC endpoint, then calls to Secrets Manager from a service not configured for the service can fail.
See Using an Amazon Secrets Manager VPC endpoint.