ValidateResourcePolicy
Validates that a resource policy does not grant a wide range of principals access to your secret. A resource-based policy is optional for secrets.
The API performs three checks when validating the policy:
-
Sends a call to Zelkova
, an automated reasoning engine, to ensure your resource policy does not allow broad access to your secret, for example policies that use a wildcard for the principal. -
Checks for correct syntax in a policy.
-
Verifies the policy does not lock out a caller.
Required permissions:
secretsmanager:ValidateResourcePolicy
.
For more information, see
IAM policy actions for Secrets Manager and Authentication
and access control in Secrets Manager.
Request Syntax
{
"ResourcePolicy": "string
",
"SecretId": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- ResourcePolicy
-
A JSON-formatted string that contains an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For example policies, see Permissions policy examples.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 20480.
Required: Yes
- SecretId
-
This field is reserved for internal use.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: No
Response Syntax
{
"PolicyValidationPassed": boolean,
"ValidationErrors": [
{
"CheckName": "string",
"ErrorMessage": "string"
}
]
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- PolicyValidationPassed
-
True if your policy passes validation, otherwise false.
Type: Boolean
- ValidationErrors
-
Validation errors if your policy didn't pass validation.
Type: Array of ValidationErrorsEntry objects
Errors
For information about the errors that are common to all actions, see Common Errors.
- InternalServiceError
-
An error occurred on the server side.
HTTP Status Code: 500
- InvalidParameterException
-
The parameter name or value is invalid.
HTTP Status Code: 400
- InvalidRequestException
-
A parameter value is not valid for the current state of the resource.
Possible causes:
-
The secret is scheduled for deletion.
-
You tried to enable rotation on a secret that doesn't already have a Lambda function ARN configured and you didn't include such an ARN as a parameter in this call.
HTTP Status Code: 400
-
- MalformedPolicyDocumentException
-
The resource policy has syntax errors.
HTTP Status Code: 400
- ResourceNotFoundException
-
Secrets Manager can't find the resource that you asked for.
HTTP Status Code: 400
Examples
Example
The following example shows how to validate a JSON policy.
Sample Request
POST / HTTP/1.1
Host: secretsmanager.region.domain
Accept-Encoding: identity
X-Amz-Target: secretsmanager.ValidateResourcePolicy
Content-Type: application/x-amz-json-1.1
User-Agent: <user-agent-string>
X-Amz-Date: <date>
Authorization: AWS4-HMAC-SHA256 Credential=<credentials>,SignedHeaders=<headers>, Signature=<signature>
Content-Length: <payload-size-bytes>
{
"SecretId": "MyTestDatabaseSecret",
"ResourcePolicy": "{\n\"Version\":\"2012-10-17\",\n\"Statement\":[{\n\"Effect\":\"Allow\",\n\"Principal\":{\n\"AWS\":\"arn:aws:iam::123456789012:root\"\n},\n\"Action\":\"secretsmanager:GetSecretValue\",\n\"Resource\":\"*\"\n}]\n}"
}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: