put-resource-policy¶

Description¶

Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret’s Amazon Resource Name (ARN) in the policy statement’s Resources element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager . For the complete description of the Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide .

Minimum permissions

To run this command, you must have the following permissions:

secretsmanager:PutResourcePolicy

Related operations

To retrieve the resource policy attached to a secret, use GetResourcePolicy .
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy .
To list all of the currently available secrets, use ListSecrets .

Synopsis¶

  put-resource-policy
--secret-id <value>
--resource-policy <value>
[--block-public-policy | --no-block-public-policy]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options¶

--secret-id (string)

Specifies the secret that you want to attach the resource-based policy. You can specify either the ARN or the friendly name of the secret.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

--resource-policy (string)

A JSON-formatted string constructed according to the grammar and syntax for an Amazon Web Services resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the CLI User Guide .

--block-public-policy | --no-block-public-policy (boolean)

(Optional) If you set the parameter, BlockPublicPolicy to true, then you block resource-based policies that allow broad access to the secret.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples¶

To add a resource-based policy to a secret

The following example shows how to add a resource-based policy to a secret. The policy is read from a file on disk and must contain a valid JSON policy document. For more information, see Resource-based Policies in the Secrets Manager User Guide. .. Resource-based Policies: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_overview.html#auth-and-access_resource-policies:

aws secretsmanager put-resource-policy --secret-id MyTestDatabaseMasterSecret \
    --resource-policy file://mysecretpolicy.json

The output shows the following:

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
    "Name": "MyTestDatabaseSecret"
}

Output¶

ARN -> (string)

The ARN of the secret retrieved by the resource-based policy.

Name -> (string)

The friendly name of the secret retrieved by the resource-based policy.

Table of Contents

Feedback

User Guide