asm-user-policy-grants-access-when-request-comes-from-vpc.json - AWS Code Sample


This resource-based policy delegates access to all secrets in the account to a different AWS account, but they can only get the secret value when requested from a specific VPC endpoint.

{ "Id": "example-policy-1", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable Secrets Manager permissions to principals in account 123456789012", "Effect": "Allow", "Principal": {"AWS":["123456789012"]}, "Action": ["secretsmanager:*"], "Resource": "*" }, { "Sid": "Restrict GetSecretValue operation to only my VPC endpoint", "Effect": "Deny", "Principal": "*", "Action": ["secretsmanager:GetSecretValue"], "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1234a5678b9012c" } } } ] }

Sample Details

Service: secretsmanager

Author: AWS

Type: full-example