How can I control access to AWS Secrets Manager secrets using resource-based policies?

With resource-based policies, you can specify user access to a secret and what actions a user can perform.

Note: A secret is defined as a resource with Secrets Manager.

Common use cases for Secrets Manager resource-based policies are:

In this example resource-based policy, "Effect" specifies whether the statement results in allow or an explicit deny. "Action" defines what actions are performed with the secret. "Resource" is the secret the policy is attached to. "Principal" specifies the user with access to perform actions with the secret.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
            "Resource": "*"
        }
    ]
}

Follow these instructions to apply a resource-based policy in Secrets Manager:

1.    Follow the instructions to create a basic secret. Take note of the Secret ARN.

2.    Copy and paste this policy into your favorite text editor, and then save it as a JSON file such as My_explicit_deny_Policy.json.

{ "Version": "2012-10-17",
"Statement": [
        {
            "Effect": "Deny",
            "Action": "secretsmanager:GetSecretValue",
            "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
            "Resource": "*"
        }
    ]
} 

3.    Use the AWS CLI command put-resource-policy to place a resource policy for the secret to explicitly deny user "Mary" from retrieving the secret value.

aws secretsmanager put-resource-policy --secret-id My_Resource_Secret --resource-policy file:// My_explicit_deny_Policy.json

4.    The response should look similar to the following:

{
"ARN": "arn:aws:secretsmanager:<your region>:123456789999:secret:My_Resource_Secret",
"Name": "My_Resource_Secret"
}

Note: kms:decrypt permission is required only if you use custom Customer Master Key (CMKs) to encrypt your secret. A secret can't be retrieved by an AWS Identity and Access Management (IAM) principal in a third-party account if the secret is encrypted by the default AWS Key Management Service (AWS KMS) key.

For more information, see Using Resource-based Policies for Secrets Manager


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-18