Using single Secret Manager for mutliple schema creds with password rotation

0

Hi all, Disclaimer: New to AWS DevOps :) So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines.

  • To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource.
  • So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively
  • however, I also want to ensure ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource **

Question: Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ? As going through docs, I dont see that being possible.

Hope my questions is clear thanks in advance, J K

JK
已提问 2 年前555 查看次数
1 回答
0

Hi,

I understand that you have one Secret that holds multiple different values and you would like to know if it is possible to control access to only allow users to retrieve specific key/value pairs.

Unfortunately this would not be possible as you can only restrict the action “GetSecretsValue” to a specific secret and not a key/value pair. I am attaching the following documentation that goes over this here (1). In order to restrict access to specific secrets values you would need to store them in separate secrets. You can then use IAM permissions as well as resource based policies to restrict access, I am linking the documentation for that here (2)

I hope you have a great rest of your day!

References

(1) https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html

(2) https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

AWS
支持工程师
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则