|
|
@@ -35,6 +35,63 @@ Create a IAM Policy to pin down access to secrets matching `dev-*`.
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
+
|
|
|
+#### Permissions for PushSecret
|
|
|
+
|
|
|
+If you're planning to use `PushSecret`, ensure you also have the following permissions in your IAM policy:
|
|
|
+
|
|
|
+``` json
|
|
|
+{
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Action": [
|
|
|
+ "secretsmanager:CreateSecret",
|
|
|
+ "secretsmanager:PutSecretValue",
|
|
|
+ "secretsmanager:TagResource",
|
|
|
+ "secretsmanager:DeleteSecret"
|
|
|
+ ],
|
|
|
+ "Resource": [
|
|
|
+ "arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*"
|
|
|
+ ]
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+Here's a more restrictive version of the IAM policy:
|
|
|
+
|
|
|
+``` json
|
|
|
+{
|
|
|
+ "Version": "2012-10-17",
|
|
|
+ "Statement": [
|
|
|
+ {
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Action": [
|
|
|
+ "secretsmanager:CreateSecret",
|
|
|
+ "secretsmanager:PutSecretValue",
|
|
|
+ "secretsmanager:TagResource"
|
|
|
+ ],
|
|
|
+ "Resource": [
|
|
|
+ "arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*"
|
|
|
+ ]
|
|
|
+ },
|
|
|
+ {
|
|
|
+ "Effect": "Allow",
|
|
|
+ "Action": [
|
|
|
+ "secretsmanager:DeleteSecret"
|
|
|
+ ],
|
|
|
+ "Resource": [
|
|
|
+ "arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*"
|
|
|
+ ],
|
|
|
+ "Condition": {
|
|
|
+ "StringEquals": {
|
|
|
+ "secretsmanager:ResourceTag/managed-by": "external-secrets"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+In this policy, the DeleteSecret action is restricted to secrets that have the specified tag, ensuring that deletion operations are more controlled and in line with the intended management of the secrets.
|
|
|
+
|
|
|
### JSON Secret Values
|
|
|
|
|
|
SecretsManager supports *simple* key/value pairs that are stored as json. If you use the API you can store more complex JSON objects. You can access nested values or arrays using [gjson syntax](https://github.com/tidwall/gjson/blob/master/SYNTAX.md):
|
Alexander Schaber