AWS Secrets Manager

2018/06/26 - AWS Secrets Manager - 3 new api methods

Changes  This release adds support for resource-based policies that attach directly to your secrets. These policies provide an additional way to control who can access your secrets and what they can do with them. For more information, see https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-based-policies.html in the Secrets Manager User Guide.

PutResourcePolicy (new) Link ¶

Attaches the contents of the specified resource-based policy to a secret. A resource-based policy is optional. Alternatively, you can use IAM user-based policies that specify the secret's ARN in the policy statement's Resources element. You can also use a combination of both identity- an resource-based policies. The affected users and roles receive the permissions permitted by all of the relevant policies. For more information, see Using Resource-Based Policies for AWS Secrets Manager. For the complete description of the AWS policy syntax and grammar, see IAM JSON Policy Reference in the IAM User Guide .

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:PutResourcePolicy

Related operations

  • To retrieve the resource policy attached to a secret, use GetResourcePolicy.

  • To delete the resource-based policy that is attached to a secret, use DeleteResourcePolicy.

  • To list all of the currently available secrets, use ListSecrets.

See also: AWS API Documentation

Request Syntax

client.put_resource_policy(
    SecretId='string',
    ResourcePolicy='string'
)
type SecretId

string

param SecretId

[REQUIRED]

Specifies the secret to which you want to attach the resource-based policy. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

type ResourcePolicy

string

param ResourcePolicy

[REQUIRED]

A JSON-formatted string constructed according to the grammar and syntax for an AWS resource-based policy. The policy in the string identifies who can access or manage this secret and its versions. For information on how to format a JSON parameter for the various command line tool environments, see Using JSON for Parameters in the AWS CLI User Guide .

rtype

dict

returns

Response Syntax

{
    'ARN': 'string',
    'Name': 'string'
}

Response Structure

  • (dict) --

    • ARN (string) --

      The ARN of the secret for which the resource-based policy was retrieved.

    • Name (string) --

      The friendly name of the secret for which the resource-based policy was retrieved.

DeleteResourcePolicy (new) Link ¶

Deletes the resource-based policy currently attached to the secret.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:DeleteResourcePolicy

Related operations

  • To attach a resource policy to a secret, use PutResourcePolicy.

  • To retrieve the current resource-based policy that is attached to a secret, use GetResourcePolicy.

  • To list all of the currently available secrets, use ListSecrets.

See also: AWS API Documentation

Request Syntax

client.delete_resource_policy(
    SecretId='string'
)
type SecretId

string

param SecretId

[REQUIRED]

Specifies the secret for which you want to delete the attached resource-based policy. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

rtype

dict

returns

Response Syntax

{
    'ARN': 'string',
    'Name': 'string'
}

Response Structure

  • (dict) --

    • ARN (string) --

      The ARN of the secret for which the resource-based policy was deleted.

    • Name (string) --

      The friendly name of the secret for which the resource-based policy was deleted.

GetResourcePolicy (new) Link ¶

Retrieves the JSON text of the resource-based policy attached to the specified secret. The JSON request string input and response output are shown formatted with whitespace and line breaks for better readability. Submit your input as a single line JSON string.

Minimum permissions

To run this command, you must have the following permissions:

  • secretsmanager:GetResourcePolicy

Related operations

  • To attach a resource policy to a secret, use PutResourcePolicy.

  • To delete the resource-based policy that is attached to a secret, use DeleteResourcePolicy.

  • To list all of the currently available secrets, use ListSecrets.

See also: AWS API Documentation

Request Syntax

client.get_resource_policy(
    SecretId='string'
)
type SecretId

string

param SecretId

[REQUIRED]

Specifies the secret for which you want to retrieve the attached resource-based policy. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.

rtype

dict

returns

Response Syntax

{
    'ARN': 'string',
    'Name': 'string',
    'ResourcePolicy': 'string'
}

Response Structure

  • (dict) --

    • ARN (string) --

      The ARN of the secret for which the resource-based policy was retrieved.

    • Name (string) --

      The friendly name of the secret for which the resource-based policy was retrieved.

    • ResourcePolicy (string) --

      A JSON-formatted string that describes the permissions associated with the attached secret. These permissions are combined with any permissions associated with the user or role who attempts to access this secret. The combined permissions specify who can access the secret and what actions they can perform. For more information, see Authentication and Access Control for AWS Secrets Manager in the AWS Secrets Manager User Guide .