AWS Secrets Manager
User Guide

Authentication and Access Control for AWS Secrets Manager

Accessing AWS Secrets Manager requires AWS credentials. The credentials must have permissions to access the AWS resources, such as your Secrets Manager secrets. The following sections provide details on how you can use AWS Identity and Access Management (IAM) policies to secure access to your secrets and control who can access and administer them.

Because secrets contain extremely sensitive information, access to your secrets must be tightly controlled. By using the permissions capabilities of AWS and IAM permission policies, you can control which users (or services) have access to your secrets. You can specify which API, CLI, and console operations the user can perform on the authorized secrets. By taking advantage of the granular access features in the IAM policy language, you can opt to limit the user to only a subset of your secrets—or even to one individual secret—by using tags as filters. You can also restrict a user to specific versions of a secret by using staging labels as filters.

You can also determine who can manage which secrets, and who can update or modify the secrets and the associated metadata. If you have administrator (all, sometimes called */* meaning "all actions on all resources") permissions to the AWS Secrets Manager service, you can delegate access to Secrets Manager tasks by granting permissions to others.

You can attach permission policies to your users, groups, and roles, and specify the secrets the attached identities can access. These are called "identity-based policies". Alternatively, you can attach a permission policy directly to the secret and specify who can access it. This is called a "resource-based policy". Either way, the policies specify what actions each principal can perform on which secrets.

For general information about IAM permissions policies, see Overview of IAM Policies in the IAM User Guide.

For the permissions available specifically for use with AWS Secrets Manager, see Actions, Resources, and Context Keys You Can Use in an IAM Policy or Secret Policy for AWS Secrets Manager.

The following sections describe how to manage permissions for AWS Secrets Manager. AWS recommends reading the overview first.

On this page: