@cloud-copilot/iam-data
Version:
468 lines • 13.8 kB
JSON
{
"batchgetsecretvalue": {
"name": "BatchGetSecretValue",
"description": "Grants permission to retrieve and decrypt a list of secrets",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"cancelrotatesecret": {
"name": "CancelRotateSecret",
"description": "Grants permission to cancel an in-progress secret rotation",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"createsecret": {
"name": "CreateSecret",
"description": "Grants permission to create a secret that stores encrypted data that can be queried and rotated",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:Name",
"secretsmanager:Description",
"secretsmanager:KmsKeyArn",
"secretsmanager:KmsKeyId",
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"secretsmanager:ResourceTag/tag-key",
"secretsmanager:AddReplicaRegions",
"secretsmanager:ForceOverwriteReplicaSecret"
],
"dependentActions": []
},
"deleteresourcepolicy": {
"name": "DeleteResourcePolicy",
"description": "Grants permission to delete the resource policy attached to a secret",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"deletesecret": {
"name": "DeleteSecret",
"description": "Grants permission to delete a secret",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:RecoveryWindowInDays",
"secretsmanager:ForceDeleteWithoutRecovery",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"describesecret": {
"name": "DescribeSecret",
"description": "Grants permission to retrieve the metadata about a secret, but not the encrypted data",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"getrandompassword": {
"name": "GetRandomPassword",
"description": "Grants permission to generate a random string for use in password creation",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"getresourcepolicy": {
"name": "GetResourcePolicy",
"description": "Grants permission to get the resource policy attached to a secret",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"getsecretvalue": {
"name": "GetSecretValue",
"description": "Grants permission to retrieve and decrypt the encrypted data",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:VersionId",
"secretsmanager:VersionStage",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"listsecretversionids": {
"name": "ListSecretVersionIds",
"description": "Grants permission to list the available versions of a secret",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"listsecrets": {
"name": "ListSecrets",
"description": "Grants permission to list the available secrets",
"accessLevel": "List",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"putresourcepolicy": {
"name": "PutResourcePolicy",
"description": "Grants permission to attach a resource policy to a secret",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:BlockPublicPolicy",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"putsecretvalue": {
"name": "PutSecretValue",
"description": "Grants permission to create a new version of the secret with new encrypted data",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"removeregionsfromreplication": {
"name": "RemoveRegionsFromReplication",
"description": "Grants permission to remove regions from replication",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"replicatesecrettoregions": {
"name": "ReplicateSecretToRegions",
"description": "Grants permission to convert an existing secret to a multi-Region secret and begin replicating the secret to a list of new regions",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion",
"secretsmanager:AddReplicaRegions",
"secretsmanager:ForceOverwriteReplicaSecret"
],
"dependentActions": []
},
"restoresecret": {
"name": "RestoreSecret",
"description": "Grants permission to cancel deletion of a secret",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"rotatesecret": {
"name": "RotateSecret",
"description": "Grants permission to start rotation of a secret",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:RotationLambdaARN",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion",
"secretsmanager:ModifyRotationRules",
"secretsmanager:RotateImmediately"
],
"dependentActions": []
},
"stopreplicationtoreplica": {
"name": "StopReplicationToReplica",
"description": "Grants permission to remove the secret from replication and promote the secret to a regional secret in the replica Region",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"tagresource": {
"name": "TagResource",
"description": "Grants permission to add tags to a secret",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"untagresource": {
"name": "UntagResource",
"description": "Grants permission to remove tags from a secret",
"accessLevel": "Tagging",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"aws:TagKeys",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"updatesecret": {
"name": "UpdateSecret",
"description": "Grants permission to update a secret with new metadata or with a new version of the encrypted data",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:Description",
"secretsmanager:KmsKeyArn",
"secretsmanager:KmsKeyId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"updatesecretversionstage": {
"name": "UpdateSecretVersionStage",
"description": "Grants permission to move a stage from one secret to another",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:VersionStage",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
},
"validateresourcepolicy": {
"name": "ValidateResourcePolicy",
"description": "Grants permission to validate a resource policy before attaching policy",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "Secret",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"secretsmanager:SecretId",
"secretsmanager:resource/AllowRotationLambdaArn",
"secretsmanager:ResourceTag/tag-key",
"aws:ResourceTag/${TagKey}",
"secretsmanager:SecretPrimaryRegion"
],
"dependentActions": []
}
}