[ aws . secretsmanager ]



Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see Authentication and access control for Secrets Manager

For information about attaching a policy in the console, see Attach a permissions policy to a secret .

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


--secret-id <value>
--resource-policy <value>
[--block-public-policy | --no-block-public-policy]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]


--secret-id (string)

The ARN or name of the secret to attach the resource-based policy.

For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

--resource-policy (string)

A JSON-formatted string for an Amazon Web Services resource-based policy. For example policies, see Permissions policy examples .

--block-public-policy | --no-block-public-policy (boolean)

Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.


To add a resource-based policy to a secret

The following put-resource-policy example adds a permissions policy to a secret, checking first that the policy does not provide broad access to the secret. The policy is read from a file. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.

aws secretsmanager put-resource-policy \
    --secret-id MyTestSecret \
    --resource-policy file://mypolicy.json \

Contents of mypolicy.json:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/MyRole"
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"


    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
    "Name": "MyTestSecret"

For more information, see Attach a permissions policy to a secret in the Secrets Manager User Guide.


ARN -> (string)

The ARN of the secret.

Name -> (string)

The name of the secret.