Channels
welcome
pulumi-cdk
cloudengineering
yaml
blog-posts
localstack
pulumi-ai
package-authoring
general
pulumiup-booth-support
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
gitlab
pulumi-kubernetes-operator
jobs
pulumi-deployments
dotnet
aws
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
Powered by
#general
Title
f
fierce-xylophone-92490
09/02/2023, 12:58 AM
Anybody know how to share a SecretsManager secret, setting the principal as an entire AWS organization? Would be nice if we could make a centralized secrets store in one account that accounts in a particular "organizational unit" can access easily.
b
billowy-army-68599
09/02/2023, 1:03 AM
you’d use a condition key with the org ID:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid
however, you likely don’t want to do this because you generally want to restrict access to secrets based on the IAM role
if you only use a condition key it allows access from all IAM roles
f
fierce-xylophone-92490
09/02/2023, 1:06 AM
So I
think
AWS doesn't support using that condition key on secrets. And your answer explains why that probably is. Super helpful. Thank you!
Post