AWS CLI Command Reference

[ aws . secretsmanager ]

validate-resource-policy

Description

Validates that a resource policy does not grant a wide range of principals access to your secret. A resource-based policy is optional for secrets.

The API performs three checks when validating the policy:

  • Sends a call to Zelkova , an automated reasoning engine, to ensure your resource policy does not allow broad access to your secret, for example policies that use a wildcard for the principal.

  • Checks for correct syntax in a policy.

  • Verifies the policy does not lock out a caller.

Required permissions: secretsmanager:ValidateResourcePolicy . For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager .

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  validate-resource-policy
[--secret-id <value>]
--resource-policy <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--secret-id (string)

This field is reserved for internal use.

--resource-policy (string)

A JSON-formatted string that contains an Amazon Web Services resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For example policies, see Permissions policy examples .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To validate a resource policy

The following validate-resource-policy example checks that a resource policy doesn’t grant broad access to a secret. The policy is read from a file on disk. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.

aws secretsmanager validate-resource-policy \
    --resource-policy file://mypolicy.json

Contents of mypolicy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/MyRole"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

Output:

{
    "PolicyValidationPassed": true,
    "ValidationErrors": []
}

For more information, see Permissions reference for Secrets Manager in the Secrets Manager User Guide.

Output

PolicyValidationPassed -> (boolean)

True if your policy passes validation, otherwise false.

ValidationErrors -> (list)

Validation errors if your policy didn’t pass validation.

(structure)

Displays errors that occurred during validation of the resource policy.

CheckName -> (string)

Checks the name of the policy.

ErrorMessage -> (string)

Displays error messages if validation encounters problems during validation of the resource policy.

© Copyright 2018, Amazon Web Services. Created using Sphinx.