What is the benefit of using `aws_secretsmanager_secret_policy` for creating/managing policy for AWS Secrets manager?

Question

In Terraform aws provider, we can use the below to attach a Resource based policy to the secrets manager.

• Create a aws_iam_policy_document Data resource and attach the same to the secrets manger
• Create policy using aws_secretsmanager_secret_policy for a secrets manager.

I remember the older versions of the provider for e.g 2.7 did not had aws_secretsmanager_secret_policy and we had to use the data resource to attach policy to the secrets manager. Now the latest version supports both.

What is the benefit of using the aws_secretsmanager_secret_policy over aws_iam_policy_document and under what conditions we can choose one over the other ?

Answer 1

I think your actual question is about setting the policy attribute on the aws_secretsmanager_secret resource, versus creating the policy as a separate aws_secretsmanager_secret_policy resource.

The main reason you would use aws_secretsmanager_secret_policy instead of setting it directly on the secret resource, is if the secret was created in different Terraform code, or perhaps completely outside of Terraform. For example if you wanted to create a Terraform template to look up all your AWS secrets, and set a policy on all of them.

You can use aws_iam_policy_document with either of these. aws_iam_policy_document is just a way to define IAM policies in Terraform code instead of embedded raw JSON strings.

Answer 2

aws_secretsmanager_secret_policy is to create a resource-based policy, whereas aws_iam_policy_document is for identity-based policy. There is a number of differences between them as explained in Identity-based policies and resource-based policies.

The most common scenario where you would use a resource-based policy is for cross-account access to your secret.