How do I apply a resource-based policy on an AWS Secrets Manager secret?

2 minute read

I want to use resource-based policies to control access to AWS Secrets Manager secrets.

Short description

Use resource-based policies to specify user access to a secret and what actions an AWS Identity and Access Management (IAM) user can perform.

Note: A secret is defined as a resource with Secrets Manager.

You can use Secrets Manager resource-based policies in the following common scenarios:

  • Share a secret between AWS accounts.
  • Add an explicit deny to the secret to enforce permissions.

The following example resource-based policy uses the Effect, Action, Resource, and Principal elements: 

{  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "secretsmanager:*",
      "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
      "Resource": "*"


Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To apply a resource-based policy in Secrets Manager, complete the following steps:

  1. Create a secret, and then note the secret's ARN.

  2. Copy and paste this policy into a text editor, and then save it as a JSON file, such as my_explicit_deny_policy.json:

    { "Version": "2012-10-17","Statement": [
          "Effect": "Deny",
          "Action": "secretsmanager:GetSecretValue",
          "Principal": {"AWS": "arn:aws:iam::123456789999:user/Mary"},
          "Resource": "*"
  3. Run the put-resource-policy AWS CLI command to attach a resource policy for the secret to explicitly deny secret value retrieval:

    aws secretsmanager put-resource-policy --secret-id My_Resource_Secret --resource-policy file:// My_explicit_deny_Policy.json

    You receive an output similar to this one:

    {"ARN": "arn:aws:secretsmanager:<your region>:123456789999:secret:My_Resource_Secret",
    "Name": "My_Resource_Secret"

    Note: The AWS Key Management Service (AWS KMS) decrypt permission is required only if you use AWS KMS keys to encrypt your secret. When the secret is encrypted by a default AWS KMS key, an IAM principal in a third-party account can't retrieve the secret.

For more information, see Attach a permissions policy to an AWS Secrets Manager secret.

AWS OFFICIALUpdated 5 months ago