AWS CloudFormation
User Guide (API Version 2010-05-15)


The AWS::SecretsManager::ResourcePolicy resource lets you define a resource-based policy and attach it to a secret that's stored in Secrets Manager.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "SecretId" : String, "ResourcePolicy" : JSON object } }


Type: "AWS::SecretsManager::ResourcePolicy" Properties: SecretId: String ResourcePolicy: JSON object



Specifies the Amazon Resource Name (ARN) or the friendly name of the secret that you want to attach a resource-based permissions policy to. To reference a secret that's also created in this template, use the Ref function with the secret's logical ID.


If you use this property to change the SecretId for an existing resource-based policy, it removes the policy from the original secret, and then attaches the policy to the secret with the specified SecretId. This results in changing the permissions for two secrets.

Required: Yes

Type: String

Update requires: Replacement


Specifies a JSON object that's constructed according to the grammar and syntax for an AWSresource-based policy. The policy identifies who can access or manage this secret and its versions. For information on how to format a JSON object as a parameter for this resource type, see Using Resource-based Policies for Secrets Manager in the AWS Secrets Manager User Guide. Those same rules apply here.

Required: Yes

Type: JSON object

Update requires: No interruption

Return Values


When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy resource to the intrinsic Ref function, the function returns the ARN of the secret that's being configured, such as:


This enables you to reference a secret that you create in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.

For more information about using the Ref function, see Ref.


Attaching a Resource-based Policy to a Secret

The following example shows how to define a resource-based policy and attach it to a secret that you previously defined. It defines a secret with the logical name MySecretForAppA, and then attaches a resource-based permissions policy to it.


The JSON specification doesn't allow any kind of comments. See the YAML example for comments.


{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "SecretId": {"Ref": "MySecret"}, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": {"AWS": {"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"}}, "Action": "secretsmanager:DeleteSecret", "Resource": "*" } ] } } } }


MySecret: Type: AWS::SecretsManager::Secret Properties: Description: "This is a secret that I want to attach a resource-based policy to" # This is a ResourcePolicy resource which attaches a resource policy to the referenced secret. # The resource policy denies the DeleteSecret action to all principals in the current account. MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: SecretId: !Ref MySecret ResourcePolicy: Version: "2012-10-17" Statement: - Effect: "Deny" Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: "secretsmanager:DeleteSecret" Resource: "*"

See Also