AWS::SecretsManager::ResourcePolicy
Attaches a resource-based permission policy to a secret. A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the console, CLI, or API. For more information, see Authentication and access control for Secrets Manager.
Required permissions:
secretsmanager:PutResourcePolicy, secretsmanager:GetResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control
in Secrets Manager.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::SecretsManager::ResourcePolicy", "Properties" : { "BlockPublicPolicy" :Boolean, "ResourcePolicy" :Json, "SecretId" :String} }
YAML
Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy:BooleanResourcePolicy:JsonSecretId:String
Properties
BlockPublicPolicy-
Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.
Required: No
Type: Boolean
Update requires: No interruption
ResourcePolicy-
A JSON-formatted string for an AWS resource-based policy. For example policies, see Permissions policy examples.
Required: Yes
Type: Json
Update requires: No interruption
SecretId-
The ARN or name of the secret to attach the resource-based policy.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.
Required: Yes
Type: String
Minimum:
1Maximum:
2048Update requires: Replacement
Return values
Ref
When you pass the logical ID of an AWS::SecretsManager::ResourcePolicy
resource to the intrinsic Ref function, the function returns the ARN of the
configured secret, such as:
arn:aws:secretsmanager:us-west-2:123456789012:secret:my-path/my-secret-name-1a2b3c
This enables you to reference a secret you created in one part of the stack template from within the definition of another resource later, in the same template. You would typically use this with the AWS::SecretsManager::SecretTargetAttachment resource type.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Examples
Attaching a resource-based policy to an RDS database instance secret
The following example shows how to attach a resource-based policy to a secret. The JSON request string input and response output displays as formatted with white space and line breaks for better readability. Submit your input as a single line JSON string.
JSON
{ "MySecret": { "Type": "AWS::SecretsManager::Secret", "Properties": { "Description": "This is a secret that I want to attach a resource-based policy to" } }, "MySecretResourcePolicy": { "Type": "AWS::SecretsManager::ResourcePolicy", "Properties": { "BlockPublicPolicy": "True", "SecretId": { "Ref": "MySecret" }, "ResourcePolicy": { "Version": "2012-10-17", "Statement": [ { "Resource": "*", "Action": "secretsmanager:DeleteSecret", "Effect": "Deny", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root" } } } ] } } } }
YAML
--- MySecret: Type: AWS::SecretsManager::Secret Properties: Description: This is a secret that I want to attach a resource-based policy to MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: BlockPublicPolicy: True SecretId: Ref: MySecret ResourcePolicy: Version: '2012-10-17' Statement: - Resource: "*" Action: secretsmanager:DeleteSecret Effect: Deny Principal: AWS: Fn::Sub: arn:aws:iam::${AWS::AccountId}:root
See also
