put-resource-policy¶

Description¶

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see Authentication and access control for Secrets Manager

For information about attaching a policy in the console, see Attach a permissions policy to a secret .

Required permissions: secretsmanager:PutResourcePolicy . For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager .

Synopsis¶

  put-resource-policy
--secret-id <value>
--resource-policy <value>
[--block-public-policy | --no-block-public-policy]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options¶

--secret-id (string)

The ARN or name of the secret to attach the resource-based policy.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN .

--resource-policy (string)

A JSON-formatted string for an Amazon Web Services resource-based policy. For example policies, see Permissions policy examples .

--block-public-policy | --no-block-public-policy (boolean)

Specifies whether to block resource-based policies that allow broad access to the secret, for example those that use a wildcard for the principal.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples¶

To add a resource-based policy to a secret

The following put-resource-policy example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.

aws secretsmanager put-resource-policy \
    --secret-id MyTestSecret \
    --resource-policy file://mypolicy.json \
    --block-public-policy

Contents of mypolicy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/MyRole"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

Output:

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
    "Name": "MyTestSecret"
}

For more information, see Attach a permissions policy to a secret in the Secrets Manager User Guide.

Output¶

ARN -> (string)

The ARN of the secret.

Name -> (string)

The name of the secret.

Table of Contents

Feedback

User Guide