I want to use AWS Identity and Access Management (IAM) identity-based policies to control access to AWS Secrets Manager secrets.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
In the following identity-based policies or AWS CLI commands, replace these values with your values where necessary:
- YOUR-REGION with your AWS Region
- YOUR-ACCOUNT-ID with your AWS account ID
- YOUR-SECRET_NAME with your Secrets Manager secret's name
- your-secrets-policy.json with your Secrets Manager JSON file
- YOUR-IAM-USER-NAME with your IAM user name
- YOUR_IAM_ROLE_NAME with your IAM role name
- YOUR-TAG-VALUE with your tag value
Use the IAM console
Use the JSON editor to create an IAM policy. The following are examples of IAM policies that you can create to grant or restrict access to a secret.
Grant access to create a secret:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": "arn:aws:secretsmanager:YOUR-REGION:YOUR-ACCOUNT-ID:secret:YOUR-SECRET-NAME*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
]
}
]
}
Grant access to and modify an existing secret:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:RestoreSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:DeleteSecret",
"secretsmanager:RotateSecret",
"secretsmanager:CancelRotateSecret",
"secretsmanager:UpdateSecret"
],
"Resource": "arn:aws:secretsmanager:YOUR-REGION:YOUR-ACCOUNT-ID:secret:YOUR-SECRET-NAME*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
]
}
]
For secrets that are encrypted with an AWS Key Management Service (AWS KMS) managed key, grant access to read the secret:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:YOUR-REGION:YOUR-ACCOUNT-ID:secret:YOUR-SECRET-NAME*"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/key_id"
}
]
}
Use tags to control access to secrets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:DescribeSecret",
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/tag-key": "YOUR-TAG-VALUE"
}
}
}
]
}
Explicitly deny the GetSecretValue and DescribeSecret actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:YOUR-REGION:YOUR-ACCOUNT-ID:secret:YOUR-SECRET-NAME*"
}
]
}
Attach any of the preceding policies as a managed policy or inline policy.
Use the AWS CLI
Save any of the preceding IAM policies as your-secrets-policy.json.
Run the create-policy command to create the policy:
aws iam create-policy —policy-name CreateSecret —policy document fileb://create_secret.json
Run the attach-user-policy command to attach the policy to an IAM user:
aws iam attach-user-policy —policy-arn arn:aws:iam::YOUR-ACCOUNT-ID:policy/CreateSecret —user-name YOUR-IAM-USER-NAME
-or-
Run the attach-role-policy command to attach the policy to an IAM role:
aws iam attach-role-policy —policy-arn arn:aws:iam::YOUR-ACCOUNT-ID:policy/CreateSecret —role-name YOUR-IAM-ROLE-NAME
Related information
How do I apply a resource-based policy on an AWS Secrets Manager secret?