AWS Fundamentals Logo
AWS Fundamentals
L1 ConstructAWS::SecretsManager::ResourcePolicy

CfnResourcePolicy

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. If a secret already has a resource policy attached, you must first remove it before attaching a new policy using this CloudFormation resource. You can remove the policy using the [console](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) , [CLI](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/delete-resource-policy.html) , or [API](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteResourcePolicy.html) . For more information, see [Authentication and access control for Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) . *Required permissions:* `secretsmanager:PutResourcePolicy` , `secretsmanager:GetResourcePolicy` . For more information, see [IAM policy actions for Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) and [Authentication and access control in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html) .

Import

import { CfnResourcePolicy } from 'aws-cdk-lib/aws-secretsmanager';

Or use the module namespace:

import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
// secretsmanager.CfnResourcePolicy

Properties

Configuration passed to the constructor as CfnResourcePolicyProps.

resourcePolicyRequired
any

A JSON-formatted string for an AWS resource-based policy. For example policies, see [Permissions policy examples](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) .

secretIdRequired
string | ISecretRef

The ARN or name of the secret to attach the resource-based policy. For an ARN, we recommend that you specify a complete ARN rather than a partial ARN.

blockPublicPolicyOptional
boolean | IResolvable

Specifies whether to block resource-based policies that allow broad access to the secret. By default, Secrets Manager blocks policies that allow broad access, for example those that use a wildcard for the principal.

CloudFormation Resource

This L1 construct maps directly to the following CloudFormation resource type.

AWS::SecretsManager::ResourcePolicyView in CloudFormation Explorer

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

LevelL1 (CloudFormation)
Moduleaws-secretsmanager
CFN TypeAWS::SecretsManager::ResourcePolicy
Properties3

Related Constructs

Explore This Service

External Links