pulumi-aws-kotlin/com.pulumi.aws.secretsmanager.kotlin/SecretPolicyArgs

SecretPolicyArgs

data class SecretPolicyArgs(val blockPublicPolicy: Output<Boolean>? = null, val policy: Output<String>? = null, val secretArn: Output<String>? = null) : ConvertibleToJava<SecretPolicyArgs>

Provides a resource to manage AWS Secrets Manager secret policy.

Example Usage

Basic

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleSecret = new aws.secretsmanager.Secret("example", {name: "example"});
const example = aws.iam.getPolicyDocument({
    statements: [{
        sid: "EnableAnotherAWSAccountToReadTheSecret",
        effect: "Allow",
        principals: [{
            type: "AWS",
            identifiers: ["arn:aws:iam::123456789012:root"],
        }],
        actions: ["secretsmanager:GetSecretValue"],
        resources: ["*"],
    }],
});
const exampleSecretPolicy = new aws.secretsmanager.SecretPolicy("example", {
    secretArn: exampleSecret.arn,
    policy: example.then(example => example.json),
});

import pulumi
import pulumi_aws as aws
example_secret = aws.secretsmanager.Secret("example", name="example")
example = aws.iam.get_policy_document(statements=[{
    "sid": "EnableAnotherAWSAccountToReadTheSecret",
    "effect": "Allow",
    "principals": [{
        "type": "AWS",
        "identifiers": ["arn:aws:iam::123456789012:root"],
    }],
    "actions": ["secretsmanager:GetSecretValue"],
    "resources": ["*"],
}])
example_secret_policy = aws.secretsmanager.SecretPolicy("example",
    secret_arn=example_secret.arn,
    policy=example.json)

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var exampleSecret = new Aws.SecretsManager.Secret("example", new()
    {
        Name = "example",
    });
    var example = Aws.Iam.GetPolicyDocument.Invoke(new()
    {
        Statements = new[]
        {
            new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
            {
                Sid = "EnableAnotherAWSAccountToReadTheSecret",
                Effect = "Allow",
                Principals = new[]
                {
                    new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                    {
                        Type = "AWS",
                        Identifiers = new[]
                        {
                            "arn:aws:iam::123456789012:root",
                        },
                    },
                },
                Actions = new[]
                {
                    "secretsmanager:GetSecretValue",
                },
                Resources = new[]
                {
                    "*",
                },
            },
        },
    });
    var exampleSecretPolicy = new Aws.SecretsManager.SecretPolicy("example", new()
    {
        SecretArn = exampleSecret.Arn,
        Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
    });
});

package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleSecret, err := secretsmanager.NewSecret(ctx, "example", &secretsmanager.SecretArgs{
			Name: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
			Statements: []iam.GetPolicyDocumentStatement{
				{
					Sid:    pulumi.StringRef("EnableAnotherAWSAccountToReadTheSecret"),
					Effect: pulumi.StringRef("Allow"),
					Principals: []iam.GetPolicyDocumentStatementPrincipal{
						{
							Type: "AWS",
							Identifiers: []string{
								"arn:aws:iam::123456789012:root",
							},
						},
					},
					Actions: []string{
						"secretsmanager:GetSecretValue",
					},
					Resources: []string{
						"*",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = secretsmanager.NewSecretPolicy(ctx, "example", &secretsmanager.SecretPolicyArgs{
			SecretArn: exampleSecret.Arn,
			Policy:    pulumi.String(example.Json),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.Secret;
import com.pulumi.aws.secretsmanager.SecretArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.secretsmanager.SecretPolicy;
import com.pulumi.aws.secretsmanager.SecretPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var exampleSecret = new Secret("exampleSecret", SecretArgs.builder()
            .name("example")
            .build());
        final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
            .statements(GetPolicyDocumentStatementArgs.builder()
                .sid("EnableAnotherAWSAccountToReadTheSecret")
                .effect("Allow")
                .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                    .type("AWS")
                    .identifiers("arn:aws:iam::123456789012:root")
                    .build())
                .actions("secretsmanager:GetSecretValue")
                .resources("*")
                .build())
            .build());
        var exampleSecretPolicy = new SecretPolicy("exampleSecretPolicy", SecretPolicyArgs.builder()
            .secretArn(exampleSecret.arn())
            .policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
            .build());
    }
}

resources:
  exampleSecret:
    type: aws:secretsmanager:Secret
    name: example
    properties:
      name: example
  exampleSecretPolicy:
    type: aws:secretsmanager:SecretPolicy
    name: example
    properties:
      secretArn: ${exampleSecret.arn}
      policy: ${example.json}
variables:
  example:
    fn::invoke:
      function: aws:iam:getPolicyDocument
      arguments:
        statements:
          - sid: EnableAnotherAWSAccountToReadTheSecret
            effect: Allow
            principals:
              - type: AWS
                identifiers:
                  - arn:aws:iam::123456789012:root
            actions:
              - secretsmanager:GetSecretValue
            resources:
              - '*'

Import

Using pulumi import, import aws_secretsmanager_secret_policy using the secret Amazon Resource Name (ARN). For example:

$ pulumi import aws:secretsmanager/secretPolicy:SecretPolicy example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456

Constructors

SecretPolicyArgs

constructor(blockPublicPolicy: Output<Boolean>? = null, policy: Output<String>? = null, secretArn: Output<String>? = null)

Properties

blockPublicPolicy

val blockPublicPolicy: Output<Boolean>? = null

Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.

policy

val policy: Output<String>? = null

Valid JSON document representing a resource policy. Unlike aws.secretsmanager.Secret, where policy can be set to "{}" to delete the policy, "{}" is not a valid policy since policy is required.

secretArn

val secretArn: Output<String>? = null

Secret ARN. The following arguments are optional:

Functions

toJava

open override fun toJava(): SecretPolicyArgs