[ aws . secretsmanager ]
Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see Authentication and access control for Secrets Manager
For information about attaching a policy in the console, see Attach a permissions policy to a secret .
Required permissions:
secretsmanager:PutResourcePolicy
. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
put-resource-policy
--secret-id <value>
--resource-policy <value>
[--block-public-policy | --no-block-public-policy]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--secret-id
(string)
The ARN or name of the secret to attach the resource-based policy.
For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN .
--resource-policy
(string)
A JSON-formatted string for an Amazon Web Services resource-based policy. For example policies, see Permissions policy examples .
--block-public-policy
| --no-block-public-policy
(boolean)
Specifies whether to block resource-based policies that allow broad access to the secret, for example those that use a wildcard for the principal.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To add a resource-based policy to a secret
The following put-resource-policy
example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.
aws secretsmanager put-resource-policy \
--secret-id MyTestSecret \
--resource-policy file://mypolicy.json \
--block-public-policy
Contents of mypolicy.json
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/MyRole"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
Output:
{
"ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
"Name": "MyTestSecret"
}
For more information, see Attach a permissions policy to a secret in the Secrets Manager User Guide.