AWS::SecretsManager::ResourcePolicy - AWS CloudFormation


Attaches a resource-based permission policy to a secret. A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the console, CLI, or API. For more information, see Authentication and access control for Secrets Manager.

Required permissions: secretsmanager:PutResourcePolicy, secretsmanager:GetResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "BlockPublicPolicy" : Boolean, "ResourcePolicy" : Json, "SecretId" : String } }


Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: Boolean ResourcePolicy: Json SecretId: String



Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.

Required: No

Type: Boolean

Update requires: No interruption


A JSON-formatted string for an AWS resource-based policy. For example policies, see Permissions policy examples.

Required: Yes

Type: Json

Update requires: No interruption


The ARN or name of the secret to attach the resource-based policy.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

Required: Yes

Type: String

Update requires: Replacement

Return values


When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy resource to the intrinsic Ref function, the function returns the ARN of the configured secret, such as:


This enables you to reference a secret you created in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.

For more information about using the Ref function, see Ref.



Attaching a resource-based policy to an RDS database instance secret

The following example shows how to attach a resource-based policy to a secret. The JSON request string input and response output displays as formatted with white space and line breaks for better readability. Submit your input as a single line JSON string.


{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "BlockPublicPolicy": "True", "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:DeleteSecret", "Effect": "Deny", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } } } ] } } } }


--- MySecret: Type: AWS::SecretsManager::Secret Properties: Description: This is a secret that I want to attach a resource-based policy to MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: True SecretId: Ref: MySecret ResourcePolicy: Version: '2012-10-17' Statement: - Resource: "*" Action: secretsmanager:DeleteSecret Effect: Deny Principal: AWS: Fn::Sub: arn:aws:iam::${AWS::AccountId}:root

See also