How do I apply a resource-based policy on an AWS Secrets Manager secret?

Last updated: 2021-02-26

How can I control access to AWS Secrets Manager secrets using resource-based policies?

Short description

With resource-based policies, you can specify user access to a secret and what actions an AWS Identity and Access Management (IAM) user can perform.

Note: A secret is defined as a resource with Secrets Manager.

Common use cases for Secrets Manager resource-based policies are:

In this example resource-based policy, the IAM element Effect specifies whether the statement results in allow or an explicit deny. The IAM Action element defines the actions that are performed with the secret. The IAM Resource element is the secret that the policy is attached to. The IAM Principal element specifies the user with access to perform actions with the secret.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:*",
      "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
      "Resource": "*"
    }
  ]
}

Resolution

Follow these instructions to apply a resource-based policy in Secrets Manager:

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Follow the instructions for creating a secret. Note the Secret ARN.

2.    Copy and paste this policy into your favorite text editor, and then save it as a JSON file such as my_explicit_deny_policy.json.

{ "Version": "2012-10-17",
"Statement": [
    {
      "Effect": "Deny",
      "Action": "secretsmanager:GetSecretValue",
      "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
      "Resource": "*"
    }
  ]
}

3.    Use the AWS CLI command put-resource-policy to place a resource policy for the secret to explicitly deny IAM user Mary from retrieving the secret value.

aws secretsmanager put-resource-policy --secret-id My_Resource_Secret --resource-policy file:// My_explicit_deny_Policy.json

4.    You receive an output similar to the following:

{
"ARN": "arn:aws:secretsmanager:<your region>:123456789999:secret:My_Resource_Secret",
"Name": "My_Resource_Secret"
}

Note: The AWS Key Management Service (AWS KMS) decrypt permission is required only if you use custom customer master keys (CMKs) to encrypt your secret. A secret can't be retrieved by an IAM principal in a third-party account if the secret is encrypted by the default AWS KMS key.

For more information, see Using resource-based policies for Secrets Manager.


Did this article help?


Do you need billing or technical support?