Using single Secret Manager for mutliple schema creds with password rotation

Question

Hi all,
Disclaimer: New to AWS DevOps :)
So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines.

- To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource.
- So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively
-  however, I also want to ensure  ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource **

Question:
Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ?
As going through docs, I dont see that being possible.

Hope my questions is clear
thanks in advance,
J K

Answer

Hi,

I understand that you have one Secret that holds multiple different values and you would like to know if it is possible to control access to only allow users to retrieve specific key/value pairs.

Unfortunately this would not be possible as you can only restrict the action “GetSecretsValue” to a specific secret and not a key/value pair. I am attaching the following documentation that goes over this here (1). In order to restrict access to specific secrets values you would need to store them in separate secrets. You can then use IAM permissions as well as resource based policies to restrict access, I am linking the documentation for that here (2)

I hope you have a great rest of your day!

References

(1)	https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html

(2)	https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

Using single Secret Manager for mutliple schema creds with password rotation

Relevant content