Using single Secret Manager for mutliple schema creds with password rotation

0

Hi all, Disclaimer: New to AWS DevOps :) So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines.

  • To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource.
  • So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively
  • however, I also want to ensure ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource **

Question: Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ? As going through docs, I dont see that being possible.

Hope my questions is clear thanks in advance, J K

JK
asked 2 years ago499 views
1 Answer
0

Hi,

I understand that you have one Secret that holds multiple different values and you would like to know if it is possible to control access to only allow users to retrieve specific key/value pairs.

Unfortunately this would not be possible as you can only restrict the action “GetSecretsValue” to a specific secret and not a key/value pair. I am attaching the following documentation that goes over this here (1). In order to restrict access to specific secrets values you would need to store them in separate secrets. You can then use IAM permissions as well as resource based policies to restrict access, I am linking the documentation for that here (2)

I hope you have a great rest of your day!

References

(1) https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html

(2) https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

AWS
SUPPORT ENGINEER
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions