Specifying policy statement elements - AWS Secrets Manager

Specifying policy statement elements

The following section contains a brief overview of IAM permission policies from the perspective of Secrets Manager. For more detail about IAM policy syntax, see the AWS IAM Policy Reference in the IAM User Guide.

Secrets Manager defines a set of API operations to interact with or manipulate a secret in some way. To grant permissions for these operations, Secrets Manager defines a set of corresponding actions you can specify in a policy. For example, Secrets Manager defines actions to work on a secret, such as CreateSecret, GetSecretValue, ListSecrets, and RotateSecret.

A policy document must have a Version element. We recommend always using the latest version to ensure you can use all of the available features. As of this writing, the only available version is 2012-10-17 (the latest version).

In addition, a secret policy document must have one Statement element with one or more statements in an array. Each statement can consist of up to six elements:

  • Sid – (Optional) You can use the Sid as a statement identifier, an arbitrary string identifying the statement. The string cannot contain spaces.

  • Effect – (Required) Use this keyword to specify if the policy statement allows or denies the action on the resource. If you don't explicitly allow access to a resource, access is implicitly denied. You also can explicitly deny access to a resource. You might do this to ensure that a user can't perform the specified action on the specified resource, even if a different policy grants access. You should understand that multiple statements overlap, explicit deny in a statement overrides any other statements that explicitly allow. Explicit allow statements override the implicit deny present by default.

  • Action – (Required) Use this keyword to identify the actions you want to allow or deny. These actions usually, but not always, correspond one-to-one with the available operations. For example, depending on the specified Effect, secretsmanager:PutSecretValue either allows or denies the user permissions to perform the Secrets Manager PutSecretValue operation.

  • Resource – (Required) In an identity-based policy attached to a user, group, or role, you use this keyword to specify the Amazon Resource Name (ARN) of the resource for the applicable policy statement. If you don't want the statement to restrict access to a specific resource, then you can use "*", and the resulting statement restricts only actions. In a resource-based policy attached to a secret, the resource must always be "*".

  • Principal – (Required in a resource-based policy only) For resource-based policies attached directly to a secret, you specify the user, role, account, service, or other entity you want to receive permissions. This element isn't valid in an identity-based policy. In identity-based policies, the user or role with the attached policy automatically and implicitly becomes the principal.

  • Condition – (Optional) Use this keyword to specify additional conditions that must be true for the statement to "match" and the Effect to apply. For more information, see IAM JSON Policy Elements: Condition.