Menu
AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Secrets Manager

AWS Secrets Manager (service prefix: secretsmanager) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Secrets Manager

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
CancelRotateSecret Enables the user to cancel an in-progress secret rotation. Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

CreateSecret Enables the user to create a secret that stores encrypted data that can be queried and rotated. Tagging

secretsmanager:Name

secretsmanager:Description

secretsmanager:KmsKeyId

aws:RequestTag/tag-key

aws:TagKeys

DeleteResourcePolicy Enables the user to delete the resource policy attached to a secret. Permissions management

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

DeleteSecret Enables the user to delete a secret. Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

DescribeSecret Enables the user to retrieve the metadata about a secret, but not the encrypted data. Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

GetRandomPassword Enables the user to generate a random string for use in passowrd creation. Write
GetResourcePolicy Enables the user to get the resource policy attached to a secret. Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

GetSecretValue Enables the user to retrieve and decrypt the encrypted data. Read

Secret*

secretsmanager:SecretId

secretsmanager:VersionId

secretsmanager:VersionStage

secretsmanager:resource/AllowRotationLambdaArn

ListSecretVersionIds Enables the user to list the available versions of a secret. Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

ListSecrets Enables the user to list the available secrets. List
PutResourcePolicy Enables the user to attach a resource policy to a secret. Permissions management

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

PutSecretValue Enables the user to create a new version of the secret with new encrypted data. Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

RestoreSecret Enables the user to cancel deletion of a secret. Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

RotateSecret Enables the user to start rotation of a secret. Write

Secret*

secretsmanager:SecretId

secretsmanager:RotationLambdaARN

secretsmanager:resource/AllowRotationLambdaArn

TagResource Enables the user to add tags to a secret. Tagging

Secret*

secretsmanager:SecretId

aws:RequestTag/tag-key

aws:TagKeys

secretsmanager:resource/AllowRotationLambdaArn

UntagResource Enables the user to remove tags from a secret. Tagging

Secret*

secretsmanager:SecretId

aws:TagKeys

secretsmanager:resource/AllowRotationLambdaArn

UpdateSecret Enables the user to update a secret with new metadata or with a new version of the encrypted data. Write

Secret*

secretsmanager:SecretId

secretsmanager:Description

secretsmanager:KmsKeyId

secretsmanager:resource/AllowRotationLambdaArn

UpdateSecretVersionStage Enables the user to move a stage from one secret to another. Write

Secret*

secretsmanager:SecretId

secretsmanager:VersionStage

secretsmanager:resource/AllowRotationLambdaArn

Resources Defined by Secrets Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
Secret arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}

secretsmanager:resource/AllowRotationLambdaArn

Condition Keys for AWS Secrets Manager

AWS Secrets Manager defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/tag-key Filters access by a key that is present in the request the user makes to the Secrets Manager service. String
aws:TagKeys Filters access by the list of all the tag key namespresent in the request the user makes to the Secrets Manager service. String
secretsmanager:resource/AllowRotationLambdaArn Filters access by the ARN of the rotation Lambda function associated with the secret. ARN
secretsmanager:SecretId Filters access by the SecretID value in the request. ARN
secretsmanager:Name Filters access by the friendly name of the secret in the request. String
secretsmanager:Description Filters access by the description text in the request. String
secretsmanager:KmsKeyId Filters access by the ARN of the KMS key in the request. String
secretsmanager:VersionId Filters access by the unique identifier of the version of the secret in the request. String
secretsmanager:VersionStage Filters access by the list of version stages in the request. String
secretsmanager:RotationLambdaARN Filters access by the ARN of the rotation Lambda function in the request. ARN