Join Slack
Powered by
Anybody know how to share a SecretsManager secret,...
# general
f
fierce-xylophone-92490
09/02/2023, 12:58 AM
Anybody know how to share a SecretsManager secret, setting the principal as an entire AWS organization? Would be nice if we could make a centralized secrets store in one account that accounts in a particular "organizational unit" can access easily.
b
billowy-army-68599
09/02/2023, 1:03 AM
you’d use a condition key with the org ID:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid
billowy-army-68599
09/02/2023, 1:04 AM
however, you likely don’t want to do this because you generally want to restrict access to secrets based on the IAM role
billowy-army-68599
09/02/2023, 1:05 AM
if you only use a condition key it allows access from all IAM roles
f
fierce-xylophone-92490
09/02/2023, 1:06 AM
So I
think
AWS doesn't support using that condition key on secrets. And your answer explains why that probably is. Super helpful. Thank you!
Open in Slack
Previous
Next