Using single Secret Manager for mutliple schema creds with password rotation

0

Hi all, Disclaimer: New to AWS DevOps :) So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines.

  • To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource.
  • So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively
  • however, I also want to ensure ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource **

Question: Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ? As going through docs, I dont see that being possible.

Hope my questions is clear thanks in advance, J K

JK
질문됨 2년 전542회 조회
1개 답변
0

Hi,

I understand that you have one Secret that holds multiple different values and you would like to know if it is possible to control access to only allow users to retrieve specific key/value pairs.

Unfortunately this would not be possible as you can only restrict the action “GetSecretsValue” to a specific secret and not a key/value pair. I am attaching the following documentation that goes over this here (1). In order to restrict access to specific secrets values you would need to store them in separate secrets. You can then use IAM permissions as well as resource based policies to restrict access, I am linking the documentation for that here (2)

I hope you have a great rest of your day!

References

(1) https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html

(2) https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

AWS
지원 엔지니어
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠