SecretsManager / Client / put_resource_policy

put_resource_policy#

SecretsManager.Client.put_resource_policy(**kwargs)#

Attaches a resource-based permission policy to a secret. A resource-based policy is optional. For more information, see Authentication and access control for Secrets Manager

For information about attaching a policy in the console, see Attach a permissions policy to a secret.

Secrets Manager generates a CloudTrail log entry when you call this action. Do not include sensitive information in request parameters because it might be logged. For more information, see Logging Secrets Manager events with CloudTrail.

**Required permissions: ** secretsmanager:PutResourcePolicy. For more information, see IAM policy actions for Secrets Manager and Authentication and access control in Secrets Manager.

See also: AWS API Documentation

Request Syntax

response = client.put_resource_policy(
    SecretId='string',
    ResourcePolicy='string',
    BlockPublicPolicy=True|False
)
Parameters:
  • SecretId (string) –

    [REQUIRED]

    The ARN or name of the secret to attach the resource-based policy.

    For an ARN, we recommend that you specify a complete ARN rather than a partial ARN. See Finding a secret from a partial ARN.

  • ResourcePolicy (string) –

    [REQUIRED]

    A JSON-formatted string for an Amazon Web Services resource-based policy. For example policies, see Permissions policy examples.

  • BlockPublicPolicy (boolean) – Specifies whether to block resource-based policies that allow broad access to the secret, for example those that use a wildcard for the principal.

Return type:

dict

Returns:

Response Syntax

{
    'ARN': 'string',
    'Name': 'string'
}

Response Structure

  • (dict) –

    • ARN (string) –

      The ARN of the secret.

    • Name (string) –

      The name of the secret.

Exceptions

  • SecretsManager.Client.exceptions.MalformedPolicyDocumentException

  • SecretsManager.Client.exceptions.ResourceNotFoundException

  • SecretsManager.Client.exceptions.InvalidParameterException

  • SecretsManager.Client.exceptions.InternalServiceError

  • SecretsManager.Client.exceptions.InvalidRequestException

  • SecretsManager.Client.exceptions.PublicPolicyException

Examples

The following example shows how to add a resource-based policy to a secret.

response = client.put_resource_policy(
    ResourcePolicy='{\n"Version":"2012-10-17",\n"Statement":[{\n"Effect":"Allow",\n"Principal":{\n"AWS":"arn:aws:iam::123456789012:root"\n},\n"Action":"secretsmanager:GetSecretValue",\n"Resource":"*"\n}]\n}',
    SecretId='MyTestDatabaseSecret',
)

print(response)

Expected Output:

{
    'ARN': 'arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestDatabaseSecret-a1b2c3',
    'Name': 'MyTestDatabaseSecret',
    'ResponseMetadata': {
        '...': '...',
    },
}