Attach a permissions policy to an AWS Secrets Manager secret - AWS Secrets Manager

Attach a permissions policy to an AWS Secrets Manager secret

In a resource-based policy, you specify who can access the secret and the actions they can perform on the secret. You can use resource-based policies to:

  • Grant access to a single secret to multiple users and roles.

  • Grant access to users or roles in other AWS accounts.

See Permissions policy examples for AWS Secrets Manager.

When you attach a resource-based policy to a secret in the console, Secrets Manager uses the automated reasoning engine Zelkova and the API ValidateResourcePolicy to prevent you from granting a wide range of IAM principals access to your secrets. Alternatively, you can call the PutResourcePolicy API with the BlockPublicPolicy parameter from the CLI or SDK.

Important

Resource policy validation and the BlockPublicPolicy parameter help protect your resources by preventing public access from being granted through the resource policies that are directly attached to your secrets. In addition to using these features, carefully inspect the following policies to confirm that they do not grant public access:

  • Identity-based policies attached to associated AWS principals (for example, IAM roles)

  • Resource-based policies attached to associated AWS resources (for example, AWS Key Management Service (AWS KMS) keys)

To review permissions to your secrets, see Determine who has permissions to your secrets.

To view, change, or delete the resource policy for a secret (console)
  1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  2. From the list of secrets, choose your secret.

  3. On the secret details page, on the Overview tab, in the Resource permissions section, choose Edit permissions.

  4. In the code field, do one of the following, and then choose Save:

    • To attach or modify a resource policy, enter the policy.

    • To delete the policy, clear the code field.

AWS CLI

Example Retrieve a resource policy

The following get-resource-policy example retrieves the resource-based policy attached to a secret.

aws secretsmanager get-resource-policy \ --secret-id MyTestSecret
Example Delete a resource policy

The following delete-resource-policy example deletes the resource-based policy attached to a secret.

aws secretsmanager delete-resource-policy \ --secret-id MyTestSecret
Example Add a resource policy

The following put-resource-policy example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.

aws secretsmanager put-resource-policy \ --secret-id MyTestSecret \ --resource-policy file://mypolicy.json \ --block-public-policy

Contents of mypolicy.json:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/MyRole" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }

AWS SDK

To retrieve the policy attached to a secret, use GetResourcePolicy .

To delete a policy attached to a secret, use DeleteResourcePolicy.

To attach a policy to a secret, use PutResourcePolicy. If there is already a policy attached, the command replaces it with the new policy. The policy must be formatted as JSON structured text. See JSON policy document structure. Use the Permissions policy examples for AWS Secrets Manager to get started writing your policy.

For more information, see AWS SDKs.