Secret
Provides a resource to manage AWS Secrets Manager secret policy.
Example Usage
Basic
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleSecret = new aws.secretsmanager.Secret("example", {name: "example"});
const example = aws.iam.getPolicyDocument({
statements: [{
sid: "EnableAnotherAWSAccountToReadTheSecret",
effect: "Allow",
principals: [{
type: "AWS",
identifiers: ["arn:aws:iam::123456789012:root"],
}],
actions: ["secretsmanager:GetSecretValue"],
resources: ["*"],
}],
});
const exampleSecretPolicy = new aws.secretsmanager.SecretPolicy("example", {
secretArn: exampleSecret.arn,
policy: example.then(example => example.json),
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example_secret = aws.secretsmanager.Secret("example", name="example")
example = aws.iam.get_policy_document(statements=[{
"sid": "EnableAnotherAWSAccountToReadTheSecret",
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": ["arn:aws:iam::123456789012:root"],
}],
"actions": ["secretsmanager:GetSecretValue"],
"resources": ["*"],
}])
example_secret_policy = aws.secretsmanager.SecretPolicy("example",
secret_arn=example_secret.arn,
policy=example.json)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleSecret = new Aws.SecretsManager.Secret("example", new()
{
Name = "example",
});
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "EnableAnotherAWSAccountToReadTheSecret",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
"arn:aws:iam::123456789012:root",
},
},
},
Actions = new[]
{
"secretsmanager:GetSecretValue",
},
Resources = new[]
{
"*",
},
},
},
});
var exampleSecretPolicy = new Aws.SecretsManager.SecretPolicy("example", new()
{
SecretArn = exampleSecret.Arn,
Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/secretsmanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleSecret, err := secretsmanager.NewSecret(ctx, "example", &secretsmanager.SecretArgs{
Name: pulumi.String("example"),
})
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("EnableAnotherAWSAccountToReadTheSecret"),
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: []string{
"arn:aws:iam::123456789012:root",
},
},
},
Actions: []string{
"secretsmanager:GetSecretValue",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = secretsmanager.NewSecretPolicy(ctx, "example", &secretsmanager.SecretPolicyArgs{
SecretArn: exampleSecret.Arn,
Policy: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.secretsmanager.Secret;
import com.pulumi.aws.secretsmanager.SecretArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.secretsmanager.SecretPolicy;
import com.pulumi.aws.secretsmanager.SecretPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleSecret = new Secret("exampleSecret", SecretArgs.builder()
.name("example")
.build());
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("EnableAnotherAWSAccountToReadTheSecret")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers("arn:aws:iam::123456789012:root")
.build())
.actions("secretsmanager:GetSecretValue")
.resources("*")
.build())
.build());
var exampleSecretPolicy = new SecretPolicy("exampleSecretPolicy", SecretPolicyArgs.builder()
.secretArn(exampleSecret.arn())
.policy(example.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
}
}Content copied to clipboard
resources:
exampleSecret:
type: aws:secretsmanager:Secret
name: example
properties:
name: example
exampleSecretPolicy:
type: aws:secretsmanager:SecretPolicy
name: example
properties:
secretArn: ${exampleSecret.arn}
policy: ${example.json}
variables:
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: EnableAnotherAWSAccountToReadTheSecret
effect: Allow
principals:
- type: AWS
identifiers:
- arn:aws:iam::123456789012:root
actions:
- secretsmanager:GetSecretValue
resources:
- '*'Content copied to clipboard
Import
Using pulumi import, import aws_secretsmanager_secret_policy using the secret Amazon Resource Name (ARN). For example:
$ pulumi import aws:secretsmanager/secretPolicy:SecretPolicy example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456Content copied to clipboard
Properties
Link copied to clipboard
Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.
Link copied to clipboard
Valid JSON document representing a resource policy. Unlike aws.secretsmanager.Secret, where policy can be set to "{}" to delete the policy, "{}" is not a valid policy since policy is required.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard