Hi guys,
I want to restrict access to a secret on Secret Manager based on the secret tag.
For example, I have a lambda that need access to a secret, and on the lambda function I have an abstract role that grants access to all the secret, but on the secret itself, I want to write a resource based policy, that deny access to a lambda that does not have a specific tag, example: "prod".
This is the policy I wrote on the secret resource policy, that deny access to all resource, except if the resource have a tag "prod" or "dev" with tag key as "Environment":
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "secretmanager:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/Environment": [
"prod",
"dev"
]
},
"ForAllValues:StringEquals": {
"aws:TagKeys": "Environment"
}
}
}
}
But I receive the following error message: This resource policy contains a syntax error.