Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . secretsmanager ]

put-resource-policy

Description

Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret's Amazon Resource Name (ARN) in the policy statement's Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for AWS Secrets Manager . For the complete description of the AWS policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide .

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:PutResourcePolicy
Related operations
  • To retrieve the resource policy that's attached to a secret, use GetResourcePolicy .
  • To delete the resource-based policy that's attached to a secret, use DeleteResourcePolicy .
  • To list all of the currently available secrets, use ListSecrets .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  put-resource-policy
--secret-id <value>
--resource-policy <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--secret-id (string)

Specifies the secret that you want to attach the resource-based policy to. You can specify either the ARN or the friendly name of the secret.

Note

If you specify an ARN, we generally recommend that you specify a complete ARN. You can specify a partial ARN too—for example, if you don’t include the final hyphen and six random characters that Secrets Manager adds at the end of the ARN when you created the secret. A partial ARN match can work as long as it uniquely matches only one secret. However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results. To avoid this situation, we recommend that you don’t create secret names that end with a hyphen followed by six characters.

--resource-policy (string)

A JSON-formatted string that's constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide .

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

To add a resource-based policy to a secret

The following example shows how to add a resource-based policy to a secret. The policy is read from a file on disk and must contain a valid JSON policy document. For more information, see Resource-based Policies in the Secrets Manager User Guide. .. Resource-based Policies: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_overview.html#auth-and-access_resource-policies:

aws secretsmanager put-resource-policy --secret-id MyTestDatabaseMasterSecret \
    --resource-policy file://mysecretpolicy.json

The output shows the following:

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
    "Name": "MyTestDatabaseSecret"
}

Output

ARN -> (string)

The ARN of the secret that the resource-based policy was retrieved for.

Name -> (string)

The friendly name of the secret that the resource-based policy was retrieved for.