This module creates an IAM policy which allows the principal to read a given list of secrets from AWS Secrets Manager. It also allows decryption using the KMS key attached to each secret.
Example:
module "secret_read_policy" {
source = "github.com/thoughtbot/terraform-aws-secrets//secret-read-policy"
policy_name = "example-read-secrets"
# If provided, the IAM policy will attached to the given roles
role_names = ["example-service"]
secrets_manager_secrets = [
"rds-postgres-example"
"ses-smtp"
"rds-postgres-replica"
]
}| Name | Version |
|---|---|
| terraform | >= 0.15.5 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Type |
|---|---|
| aws_iam_policy.read_secrets | resource |
| aws_iam_role_policy_attachment.read_secrets | resource |
| aws_iam_policy_document.read_secrets | data source |
| aws_kms_key.secrets | data source |
| aws_secretsmanager_secret.secrets | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| policy_name | Name of the IAM policy allowed to read secrets | string |
n/a | yes |
| role_names | If provided, an IAM policy will be attached to the given roles | list(string) |
[] |
no |
| secret_names | Names of SecretsManager secrets the role can read | list(string) |
n/a | yes |
| Name | Description |
|---|---|
| policy_arn | ARN of the IAM policy created to grant secrets |
| policy_attachments | Role attachments for the created IAM policy |
| policy_json | IAM policy granting read access to these secrets |