AWS::SecretsManager::ResourcePolicy - AWS CloudFormation


Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies to specify the Amazon Resource Name (ARN) of the secret in the policy statement Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions permitted by all relevant policies.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "BlockPublicPolicy" : Boolean, "ResourcePolicy" : Json, "SecretId" : String } }


Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: Boolean ResourcePolicy: Json SecretId: String



Specifies if you configured a check for a resource policy that exposes information publicly.

For more information on using this parameter, see Managing a resource-based policy for a secret.

Required: No

Type: Boolean

Update requires: No interruption


Specifies a JSON object constructed according to the grammar and syntax for a resource-based policy. The policy identifies who can access or manage this secret and associated versions. For information on how to format a JSON object as a parameter for this resource type, see Using Resource-based Policies for Secrets Manager in the AWS Secrets Manager User Guide. Those same rules apply here.

Required: Yes

Type: Json

Update requires: No interruption


Specifies the Amazon Resource Name (ARN) or the friendly name of the secret to attach a resource-based permissions policy.


If you use this property to change the SecretId for an existing resource-based policy, Secrets Manager removes the policy from the original secret, and then attaches the policy to the secret with the specified SecretId. This results in changing the permissions for two secrets.

Required: Yes

Type: String

Update requires: Replacement

Return values


When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy resource to the intrinsic Ref function, the function returns the ARN of the configured secret, such as:


This enables you to reference a secret you created in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.

For more information about using the Ref function, see Ref.


Attaching a resource-based policy to an RDS DB Instance secret

The following examples shows how to attach a resource-based policy to the specified secret. The JSON request string input and response output displays as formatted with white space and line breaks for better readability. Submit your input as a single line JSON string.


{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "BlockPublicPolicy": { "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:DeleteSecret", "Effect": "Deny", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } } } ] } } } } }


MySecret: Type: 'AWS::SecretsManager::Secret' Properties: Description: This is a secret that I want to attach a resource-based policy to MySecretResourcePolicy: Type: 'AWS::SecretsManager::ResourcePolicy' Properties: SecretId: !Ref MySecret ResourcePolicy: Version: 2012-10-17 Statement: - Resource: '*' Action: 'secretsmanager:DeleteSecret' Effect: Deny Principal: AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'

See also