IAM Policy for Secrets Manager Read Access
Create an IAM policy for reading secrets from AWS Secrets Manager. Scoped to a specific secret name prefix for the principle of least privilege.
Detailed Explanation
Secrets Manager Read Policy
Applications need to retrieve database passwords, API keys, and other secrets at runtime. This policy grants read-only access to secrets matching a specific prefix pattern.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSecretsRead",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:myapp/*"
},
{
"Sid": "AllowListSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Two Statements
- Statement 1: Grants
GetSecretValueandDescribeSecretscoped to secrets whose names start withmyapp/. The trailing wildcard matches the random 6-character suffix that Secrets Manager adds to secret ARNs. - Statement 2:
ListSecretscannot be restricted by resource ARN (it's a list operation), so it uses"*". To limit what secrets are visible in the list, use thesecretsmanager:ResourceTagcondition.
KMS Permissions
If secrets are encrypted with a customer-managed KMS key (not the default aws/secretsmanager key), you also need kms:Decrypt permission on that key. The default AWS-managed key does not require explicit KMS permissions.
Secret Rotation
This policy does not include PutSecretValue or RotateSecret, which are needed only for the rotation Lambda function, not the consuming application.
Use Case
Application startup configuration loading, Lambda functions retrieving database credentials, ECS tasks injecting secrets into containers, and CI/CD pipelines accessing deployment credentials.