[ aws . secretsmanager ]
Attaches the contents of the specified resource-based permission policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM identity-based policies that specify the secret’s Amazon Resource Name (ARN) in the policy statement’s Resources
element. You can also use a combination of both identity-based and resource-based policies. The affected users and roles receive the permissions that are permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for Amazon Web Services Secrets Manager . For the complete description of the Amazon Web Services policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide .
Minimum permissions
To run this command, you must have the following permissions:
secretsmanager:PutResourcePolicy
Related operations
To retrieve the resource policy attached to a secret, use GetResourcePolicy .
To delete the resource-based policy attached to a secret, use DeleteResourcePolicy .
To list all of the currently available secrets, use ListSecrets .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
put-resource-policy
--secret-id <value>
--resource-policy <value>
[--block-public-policy | --no-block-public-policy]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--secret-id
(string)
Specifies the secret that you want to attach the resource-based policy. You can specify either the ARN or the friendly name of the secret.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.
--resource-policy
(string)
A JSON-formatted string constructed according to the grammar and syntax for an Amazon Web Services resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the CLI User Guide .
--block-public-policy
| --no-block-public-policy
(boolean)
(Optional) If you set the parameter,
BlockPublicPolicy
to true, then you block resource-based policies that allow broad access to the secret.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To add a resource-based policy to a secret
The following example shows how to add a resource-based policy to a secret. The policy is read from a file on disk and must contain a valid JSON policy document. For more information, see Resource-based Policies in the Secrets Manager User Guide. .. Resource-based Policies: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_overview.html#auth-and-access_resource-policies:
aws secretsmanager put-resource-policy --secret-id MyTestDatabaseMasterSecret \
--resource-policy file://mysecretpolicy.json
The output shows the following:
{
"ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3",
"Name": "MyTestDatabaseSecret"
}
ARN -> (string)
The ARN of the secret retrieved by the resource-based policy.
Name -> (string)
The friendly name of the secret retrieved by the resource-based policy.