Attach a permissions policy to an identity - AWS Secrets Manager

Attach a permissions policy to an identity

You can attach permissions policies to IAM identities: users, user groups, and roles. In an identity-based policy, you specify which secrets the identity can access and the actions the identity can perform on the secrets. For more information, see Adding and removing IAM identity permissions.

You can grant permissions to a role that represents an application or user in another service. For example, an application running on an Amazon EC2 instance might need access to a database. You can create an IAM role attached to the EC2 instance profile and then use a permissions policy to grant the role access to the secret that contains credentials for the database. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances. Other services that you can attach roles to include Amazon Redshift, AWS Lambda, and Amazon ECS.

You can also grant permissions to users authenticated by an identity system other than IAM. For example, you can associate IAM roles to mobile app users who sign in with Amazon Cognito. The role grants the app temporary credentials with the permissions in the role permission policy. Then you can use a permissions policy to grant the role access to the secret. For more information, see Identity providers and federation.

You can use identity-based policies to:

  • Grant an identity access to multiple secrets.

  • Control who can create new secrets, and who can access secrets that haven't been created yet.

  • Grant an IAM group access to secrets.

For more information, see Permissions policy examples.