Permissions reference for Secrets Manager - AWS Secrets Manager

Permissions reference for Secrets Manager

To see the elements that make up a permissions policy, see JSON policy document structure and IAM JSON policy elements reference.

To get started writing your own permissions policy, see Permissions policy examples.

Secrets Manager actions

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CancelRotateSecret Grants permission to cancel an in-progress secret rotation Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

CreateSecret Grants permission to create a secret that stores encrypted data that can be queried and rotated Write

Secret*

secretsmanager:Name

secretsmanager:Description

secretsmanager:KmsKeyId

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

secretsmanager:ResourceTag/tag-key

secretsmanager:AddReplicaRegions

secretsmanager:ForceOverwriteReplicaSecret

DeleteResourcePolicy Grants permission to delete the resource policy attached to a secret Permissions management

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

DeleteSecret Grants permission to delete a secret Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:RecoveryWindowInDays

secretsmanager:ForceDeleteWithoutRecovery

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

DescribeSecret Grants permission to retrieve the metadata about a secret, but not the encrypted data Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

GetRandomPassword Grants permission to generate a random string for use in password creation Read
GetResourcePolicy Grants permission to get the resource policy attached to a secret Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

GetSecretValue Grants permission to retrieve and decrypt the encrypted data Read

Secret*

secretsmanager:SecretId

secretsmanager:VersionId

secretsmanager:VersionStage

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

ListSecretVersionIds Grants permission to list the available versions of a secret Read

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

ListSecrets Grants permission to list the available secrets List
PutResourcePolicy Grants permission to attach a resource policy to a secret Permissions management

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:BlockPublicPolicy

secretsmanager:SecretPrimaryRegion

PutSecretValue Grants permission to create a new version of the secret with new encrypted data Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

RemoveRegionsFromReplication Grants permission to remove regions from replication Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

ReplicateSecretToRegions Grants permission to convert an existing secret to a multi-Region secret and begin replicating the secret to a list of new regions Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

secretsmanager:AddReplicaRegions

secretsmanager:ForceOverwriteReplicaSecret

RestoreSecret Grants permission to cancel deletion of a secret Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

RotateSecret Grants permission to start rotation of a secret Write

Secret*

secretsmanager:SecretId

secretsmanager:RotationLambdaARN

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

secretsmanager:ModifyRotationRules

secretsmanager:RotateImmediately

StopReplicationToReplica Grants permission to remove the secret from replication and promote the secret to a regional secret in the replica Region Write

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

TagResource Grants permission to add tags to a secret Tagging

Secret*

secretsmanager:SecretId

aws:RequestTag/${TagKey}

aws:TagKeys

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

UntagResource Grants permission to remove tags from a secret Tagging

Secret*

secretsmanager:SecretId

aws:TagKeys

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

UpdateSecret Grants permission to update a secret with new metadata or with a new version of the encrypted data Write

Secret*

secretsmanager:SecretId

secretsmanager:Description

secretsmanager:KmsKeyId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

UpdateSecretVersionStage Grants permission to move a stage from one secret to another Write

Secret*

secretsmanager:SecretId

secretsmanager:VersionStage

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

ValidateResourcePolicy Grants permission to validate a resource policy before attaching policy Permissions management

Secret*

secretsmanager:SecretId

secretsmanager:resource/AllowRotationLambdaArn

secretsmanager:ResourceTag/tag-key

aws:ResourceTag/${TagKey}

secretsmanager:SecretPrimaryRegion

Secrets Manager resources

Resource types ARN Condition keys
Secret arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

secretsmanager:ResourceTag/tag-key

secretsmanager:resource/AllowRotationLambdaArn

Secrets Manager constructs the last part of the secret ARN by appending a dash and six random alphanumeric characters at the end of the secret name. If you delete a secret and then recreate another with the same name, this formatting helps ensure that individuals with permissions to the original secret don't automatically get access to the new secret because Secrets Manager generates six new random characters.

You can find the ARN for a secret in the Secrets Manager console on the secret details page or by calling DescribeSecret.

Condition keys

If you include string conditions from the following table in your permissions policy, callers to Secrets Manager must pass the matching parameter or they are denied access. To avoid denying callers for a missing parameter, add IfExists to the end of the condition operator name, for example StringLikeIfExists. For more information, see IAM JSON policy elements: Condition operators.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by a key that is present in the request the user makes to the Secrets Manager service String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the list of all the tag key names present in the request the user makes to the Secrets Manager service ArrayOfString
secretsmanager:AddReplicaRegions Filters access by the list of Regions in which to replicate the secret ArrayOfString
secretsmanager:BlockPublicPolicy Filters access by whether the resource policy blocks broad AWS account access Bool
secretsmanager:Description Filters access by the description text in the request String
secretsmanager:ForceDeleteWithoutRecovery Filters access by whether the secret is to be deleted immediately without any recovery window Bool
secretsmanager:ForceOverwriteReplicaSecret Filters access by whether to overwrite a secret with the same name in the destination Region Bool
secretsmanager:KmsKeyId Filters access by the ARN of the KMS key in the request String
secretsmanager:ModifyRotationRules Filters access by whether the rotation rules of the secret are to be modified Bool
secretsmanager:Name Filters access by the friendly name of the secret in the request String
secretsmanager:RecoveryWindowInDays Filters access by the number of days that Secrets Manager waits before it can delete the secret Numeric
secretsmanager:ResourceTag/tag-key Filters access by a tag key and value pair String
secretsmanager:RotateImmediately Filters access by whether the secret is to be rotated immediately Bool
secretsmanager:RotationLambdaARN Filters access by the ARN of the rotation Lambda function in the request ARN
secretsmanager:SecretId Filters access by the SecretID value in the request ARN
secretsmanager:SecretPrimaryRegion Filters access by primary region in which the secret is created String
secretsmanager:VersionId Filters access by the unique identifier of the version of the secret in the request String
secretsmanager:VersionStage Filters access by the list of version stages in the request String
secretsmanager:resource/AllowRotationLambdaArn Filters access by the ARN of the rotation Lambda function associated with the secret ARN

Block broad access to secrets with BlockPublicPolicy condition

In identity policies that allow the action PutResourcePolicy, we recommend you use BlockPublicPolicy: true. This condition means that users can only attach a resource policy to a secret if the policy doesn't allow broad access.

Secrets Manager uses Zelkova automated reasoning to analyze resource policies for broad access. For more information about Zelkova, see How AWS uses automated reasoning to help you achieve security at scale on the AWS Security Blog.

The following example shows how to use BlockPublicPolicy.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "secretsmanager:PutResourcePolicy", "Resource": "SecretId", "Condition": { "Bool": { "secretsmanager:BlockPublicPolicy": "true" } } } }

IP address conditions

Use caution when you specify the IP address condition operators or the aws:SourceIp condition key in a policy statement that allows or denies access to Secrets Manager. For example, if you attach a policy that restricts AWS actions to requests from your corporate network IP address range to a secret, then your requests as an IAM user invoking the request from the corporate network work as expected. However, if you enable other services to access the secret on your behalf, such as when you enable rotation with a Lambda function, that function calls the Secrets Manager operations from an AWS-internal address space. Requests impacted by the policy with the IP address filter fail.

Also, the aws:sourceIP condition key is less effective when the request comes from an Amazon VPC endpoint. To restrict requests to a specific VPC endpoint, use VPC endpoint conditions.

VPC endpoint conditions

To allow or deny access to requests from a particular VPC or VPC endpoint, use aws:SourceVpc to limit access to requests from the specified VPC or aws:SourceVpce to limit access to requests from the specified VPC endpoint. See Example: Permissions and VPCs.

  • aws:SourceVpc limits access to requests from the specified VPC.

  • aws:SourceVpce limits access to requests from the specified VPC endpoint.

If you use these condition keys in a resource policy statement that allows or denies access to Secrets Manager secrets, you can inadvertently deny access to services that use Secrets Manager to access secrets on your behalf. Only some AWS services can run with an endpoint within your VPC. If you restrict requests for a secret to a VPC or VPC endpoint, then calls to Secrets Manager from a service not configured for the service can fail.

See Using an AWS Secrets Manager VPC endpoint.