Attach a permissions policy to a secret - AWS Secrets Manager

Attach a permissions policy to a secret

In a resource-based policy, you specify who can access the secret and the actions they can perform on the secret. You can use resource-based policies to:

  • Grant access to a single secret to multiple users and roles.

  • Grant access to users or roles in other AWS accounts.

See Permissions policy examples.

When you attach a resource-based policy to a secret in the console, Secrets Manager uses the automated reasoning engine Zelkova and the API ValidateResourcePolicy to prevent you from granting a wide range of IAM principals access to your secrets. Alternatively, you can call the PutResourcePolicy API with the BlockPublicPolicy parameter from the CLI or SDK.

To view, change, or delete the resource policy for a secret (console)

  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. In the secret details page for your secret, in the Resource permissions section, choose Edit permissions.

  3. In the code field, do one of the following, and then choose Save:

    • To attach or modify a resource policy, enter the policy.

    • To delete the policy, clear the code field.

AWS CLI

To retrieve the policy attached to the secret, use get-resource-policy.

The following CLI command retrieves the policy attached to the secret.

$ aws secretsmanager get-resource-policy --secret-id production/MyAwesomeAppSecret { "ARN": "arn:aws:secretsmanager:us-east-2:123456789012:secret:production/MyAwesomeAppSecret-a1b2c3", "Name": "MyAwesomeAppSecret", "ResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\",\"arn:aws:iam::444455556666:root\"},\"Action\":[\"secretsmanager:GetSecret\",\"secretsmanager:GetSecretValue\"],\"Resource\":\"*\"}}" }

To delete the policy attached to the secret, use delete-resource-policy.

The following CLI command deletes the policy attached to the secret.

$ aws secretsmanager delete-resource-policy --secret-id production/MyAwesomeAppSecret { "ARN": "arn:aws:secretsmanager:us-east-2:123456789012:secret:production/MyAwesomeAppSecret-a1b2c3", "Name": "production/MyAwesomeAppSecret" }

To attach a policy for the secret, use put-resource-policy. If there is already a policy attached, the command first removes it, and then attaches the new policy. The policy must be formatted as JSON structured text. See JSON policy document structure.

The following CLI command attaches the resource-based policy attached to the secret. The policy is defined in the file secretpolicy.json. Use the Permissions policy examples to get started writing your policy.

$ aws secretsmanager put-resource-policy --secret-id production/MyAwesomeAppSecret --resource-policy file://secretpolicy.json { "ARN": "arn:aws:secretsmanager:us-east-2:123456789012:secret:production/MyAwesomeAppSecret-a1b2c3", "Name": "MyAwesomeAppSecret" }

AWS SDK

To retrieve the policy attached to a secret, use GetResourcePolicy .

To delete a policy attached to a secret, use DeleteResourcePolicy.

To attach a policy to a secret, use PutResourcePolicy. If there is already a policy attached, the command first removes it, and then attaches the new policy. The policy must be formatted as JSON structured text. See JSON policy document structure. Use the Permissions policy examples to get started writing your policy.