Skip to main content
View SourceRelease Notes

Resource-based policies for Secrets Manager secrets

This module manages resource-based policies on AWS Secrets Manager secrets.

The module accepts a secret_policies variable containing a map of objects containing the ARN and a few options for customizing the resource-based policy. These options include:

  1. To provide read only access to the secret value (e.g. the secretsmanager:GetSecretValue IAM action), use the iam_entities_with_read_access attribute.
  2. To provide full access to the secret value (e.g. secretsmanager:* IAM actions), use the iam_entities_with_full_access attribute.
  3. If neither of these canned options are desired, use the policy_statement_json attribute to provide a completely custom policy. The value should be a JSON string generated by the aws_iam_policy_document data source.

Note that iam_entities_with_read_access and iam_entities_with_full_access are convenient shortcuts. They are mutually exclusive with policy_statement_json, which gives you full control over the policy. If the latter is provided, the former will be ignored.

Note also that you should only manage the policy for any given secret one time. That is, do not pass the same arn value more than once. Doing so will result in an non-deterministic policy on that secret.

Reference

Required

secret_policiesmap(object(…))required
map(object({
    # Secret manager secret ARN for which the policy applies to.
    arn = string

    # NOTE: Either (`iam_entities_with_read_access` and/or `iam_entities_with_write_access`) OR `policy_statement_json`
    # may be provided, but not both.

    # List of IAM entity ARNs (account, user, or role) that should have read access to the secret
    iam_entities_with_read_access = list(string)

    # List of IAM entity ARNs (account, user, or role) that should have full access ("*") to the secret
    iam_entities_with_full_access = list(string)

    # JSON string providing an IAM policy statement. This should be constructed using the aws_iam_policy_document data source.
    policy_statement_json = string
  }))
Details

     List of IAM entity ARNs (account, user, or role) that should have read access to the secret

Details

     List of IAM entity ARNs (account, user, or role) that should have full access ("*") to the secret

Details

     JSON string providing an IAM policy statement. This should be constructed using the aws_iam_policy_document data source.