[ aws . secretsmanager ]

validate-resource-policy

Description

Validates that a resource policy does not grant a wide range of principals access to your secret. A resource-based policy is optional for secrets.

The API performs three checks when validating the policy:

  • Sends a call to Zelkova , an automated reasoning engine, to ensure your resource policy does not allow broad access to your secret, for example policies that use a wildcard for the principal.

  • Checks for correct syntax in a policy.

  • Verifies the policy does not lock out a caller.

Required permissions: secretsmanager:ValidateResourcePolicy . For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager .

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  validate-resource-policy
[--secret-id <value>]
--resource-policy <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--secret-id (string)

This field is reserved for internal use.

--resource-policy (string)

A JSON-formatted string that contains an Amazon Web Services resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For example policies, see Permissions policy examples .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To validate a resource policy

The following validate-resource-policy example checks that a resource policy doesn’t grant broad access to a secret. The policy is read from a file on disk. For more information, see Loading AWS CLI parameters from a file in the AWS CLI User Guide.

aws secretsmanager validate-resource-policy \
    --resource-policy file://mypolicy.json

Contents of mypolicy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/MyRole"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}

Output:

{
    "PolicyValidationPassed": true,
    "ValidationErrors": []
}

For more information, see Permissions reference for Secrets Manager in the Secrets Manager User Guide.

Output

PolicyValidationPassed -> (boolean)

True if your policy passes validation, otherwise false.

ValidationErrors -> (list)

Validation errors if your policy didn’t pass validation.

(structure)

Displays errors that occurred during validation of the resource policy.

CheckName -> (string)

Checks the name of the policy.

ErrorMessage -> (string)

Displays error messages if validation encounters problems during validation of the resource policy.