Menu
AWS Secrets Manager
User Guide

Actions, Resources, and Context Keys You Can Use in an IAM Policy for AWS Secrets Manager

Actions That You Can Reference in an IAM Policy

The following table shows the permissions that you can specify in an IAM permissions policy to control access to your secrets. Each permission on an "Action" can be associated with a "Resource" that specifies what the action can work on.

You can restrict use of some actions to only those secrets with ARNs that match the Resource element in the policy. See the section Resources That You Can Reference in an IAM Policy later in this topic.

If you see an expand arrow ( ) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Permissions for "Action" element

API operation enabled by permission

Resource ARNs that can be used a "Resource" with this action

Context keys that can be used with this action

secretsmanager:CancelRotateSecret

CancelRotateSecret

Secret

SecretId

secretsmanager:CreateSecret

CreateSecret

Name

Description

KmsKeyId

secretsmanager:DeleteSecret

DeleteSecret

Secret

SecretId

VersionId

secretsmanager:DescribeSecret

DesecribeSecret

Secret

SecretId

secretsmanager:GetRandomPassword

GetRandomPassword

secretsmanager:GetSecretValue

GetSecretValue

Secret

SecretId

VersionId

VersionStage

secretsmanager:ListSecrets

ListSecrets

secretsmanager:ListSecretVersionIds

ListSecretVersionIds

Secret

SecretId

secretsmanager:PutSecretValue

PutSecretValue

Secret

SecretId

secretsmanager:RestoreSecret

RestoreSecret

Secret

SecretId

secretsmanager:RotateSecret

RotateSecret

Secret

SecretId

RotationLambdaArn

secretsmanager:TagResource

TagResource

Secret

SecretId

secretsmanager:UntagResource

UntagResource

Secret

SecretId

secretsmanager:UpdateSecret

UpdateSecret

Secret

SecretId

Description

KmsKeyId

secretsmanager:UpdateSecretVersionStage

UpdateSecretVersionStage

Secret

SecretId

VersionStage

Resources That You Can Reference in an IAM Policy

The following table shows the ARN formats that are supported in IAM policies for AWS Secrets Manager. You can view the IDs for each entity on the Secret details page for each secret in the Secrets Manager console.

If you see an expand arrow ( ) in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

Resource Type ARN Format

Secret

arn:aws:secretsmanager:<Region>:<AccountId>:secret/OptionalPath/SecretName-6RandomCharacters

Secrets Manager constructs the last part of the ARN by appending a dash and six random alphanumeric characters at the end of your secret's name. This helps ensure that if you ever delete a secret and then recreate another with the same name that individuals with permissions to the original secret do not automatically get access to the new secret because the six random characters will be different.

Context Keys That You Can Reference in an IAM Policy

Context keys in AWS Secrets Manager generally correspond to the request parameters of an API call. This enables you to allow or block almost any request based on the value of a parameter.

Each context key can be compared using a condition operator to a value that you specify. The context keys that can be used depend on the action selected. See the "Context keys" column in the Actions section at the beginning of this topic.

For example, you could choose to allow someone to retrieve only the AWSCURRENT version a secret value by using a Condition element similar to the following:

"Effect": "Deny", "Condition": {"StringEqualsIgnoreCase" : {"VersionStage" : "AWSCURRENT"}}

The following table shows the context keys that you can specify in the Condition element of an IAM permissions policy to more granularly control access to an action.

Context keys for "Condition" element

Description

SecretId

Filters the request based on the unique identifier for the secret provided in the SecretId parameter. The value can be either the friendly name or the ARN of the secret. Enables you to limit which secrets can be accessed by a request.

Description

Filters the request based on the Description parameter in the request.

KmsKeyId

Filters the request based on the KmsKeyId parameter of the request. Enables you to limit which keys can be used in a request.

Name

Filters the request based on Name parameter value of the request. Enables you to restrict a secret's name to only those matching this value.

RotationLambdaArn

Filters the request based on the RotationLambdaARN parameter Enables you to restrict which Lambda rotation functions can be used with a secret. Can be used with both CreateSecret and the operations that modify existing secrets.

VersionId

Filters the request based on the VersionId parameter of the request. Enables you restrict which versions of a secret can be accessed.

VersionStage

Filters the request based on the staging labels identified in the VersionStage parameter of a request. Enables you to restrict access to only the secret versions have a staging label that matches one of the values in this string array parameter. You must use one of the set operators to compare strings with this value.

resource/AllowRotationLambda

Filters the request based on the ARN of the Lambda rotation function attached to the resource that the request is targeting. Enables you to restrict access to only those secrets that already have a rotation Lambda ARN that matches this value.
resourcetag/tagname Filters the request based on a tag attached to the secret. Replace tagname with the actual tag name and you can then use condition operators to ensure the tag is present and that it has the requested value.