Skip to content
Alchemy
GitHubXDiscord

ResourcePolicy

The ResourcePolicy resource allows you to manage access policies for AWS Secrets Manager secrets, enabling fine-grained control over who can access specific secrets. For more detailed information, refer to the AWS SecretsManager ResourcePolicys.

Minimal Example

Section titled “Minimal Example”

Create a basic resource policy for a secret, specifying the secret ID and a simple resource policy.

import AWS from "alchemy/aws/control";


const minimalResourcePolicy = await AWS.SecretsManager.ResourcePolicy("myResourcePolicy", {
  SecretId: "mySecretId",
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:user/MyUser"
        },
        Action: "secretsmanager:GetSecretValue",
        Resource: "arn:aws:secretsmanager:us-west-2:123456789012:secret:mySecretId-123456"
      }
    ]
  }
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a resource policy with additional options, including blocking public access.

const advancedResourcePolicy = await AWS.SecretsManager.ResourcePolicy("advancedResourcePolicy", {
  SecretId: "myAdvancedSecretId",
  BlockPublicPolicy: true,
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:role/MyRole"
        },
        Action: [
          "secretsmanager:GetSecretValue",
          "secretsmanager:DescribeSecret"
        ],
        Resource: "arn:aws:secretsmanager:us-west-2:123456789012:secret:myAdvancedSecretId-abcdef"
      }
    ]
  }
});

Example with Adoption of Existing Resource

Section titled “Example with Adoption of Existing Resource”

This example demonstrates how to adopt an existing resource policy without failing if the resource already exists.

const adoptedResourcePolicy = await AWS.SecretsManager.ResourcePolicy("adoptedPolicy", {
  SecretId: "myExistingSecretId",
  adopt: true,
  ResourcePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: {
          AWS: "arn:aws:iam::123456789012:service-role/MyServiceRole"
        },
        Action: "secretsmanager:PutSecretValue",
        Resource: "arn:aws:secretsmanager:us-west-2:123456789012:secret:myExistingSecretId-ghijkl"
      }
    ]
  }
});