AWS::SecretsManager::ResourcePolicy - AWS CloudFormation

AWS::SecretsManager::ResourcePolicy

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see Authentication and access control for Secrets Manager

For information about attaching a policy in the console, see Attach a permissions policy to a secret.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "BlockPublicPolicy" : Boolean, "ResourcePolicy" : Json, "SecretId" : String } }

YAML

Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: Boolean ResourcePolicy: Json SecretId: String

Properties

BlockPublicPolicy

Set to true to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access.

Required: No

Type: Boolean

Update requires: No interruption

ResourcePolicy

A JSON-formatted string for an AWS resource-based policy. For example policies, see Permissions policy examples.

Required: Yes

Type: Json

Minimum: 1

Maximum: 20480

Update requires: No interruption

SecretId

The ARN or name of the secret to attach the resource-based policy.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

Required: Yes

Type: String

Minimum: 1

Maximum: 2048

Update requires: Replacement

Return values

Ref

When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy resource to the intrinsic Ref function, the function returns the ARN of the configured secret, such as:

arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c

This enables you to reference a secret you created in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.

For more information about using the Ref function, see Ref.

Examples

Attaching a resource-based policy to an RDS database instance secret

The following example shows how to attach a resource-based policy to a secret. The JSON request string input and response output displays as formatted with white space and line breaks for better readability. Submit your input as a single line JSON string.

JSON

{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "BlockPublicPolicy": "True", "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:DeleteSecret", "Effect": "Deny", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } } } ] } } } }

YAML

--- MySecret: Type: AWS::SecretsManager::Secret Properties: Description: This is a secret that I want to attach a resource-based policy to MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: True SecretId: Ref: MySecret ResourcePolicy: Version: '2012-10-17' Statement: - Resource: "*" Action: secretsmanager:DeleteSecret Effect: Deny Principal: AWS: Fn::Sub: arn:aws:iam::${AWS::AccountId}:root

See also