AWS Code Sample


This resource-based policy shows how to grant an IAM role access to retrieve only the AWSCURRENT version of the attached secret.

{ "Sid": "Allow an app associated with an &IAM; role to only read the current version of a secret", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:role/EncryptionApp" }, "Action": ["secretsmanager:GetSecretValue"], "Condition": { "ForAnyValue:StringEquals": {"secretsmanager:VersionStage": "AWSCURRENT" } }, "Resource": "*" }

Sample Details

Service: secretsmanager

Author: AWS

Type: full-example

On this page: