[英]What is the benefit of using `aws_secretsmanager_secret_policy` for creating/managing policy for AWS Secrets manager?
In Terraform aws
provider, we can use the below to attach a Resource based policy to the secrets manager.在 Terraform aws
提供程序中,我们可以使用以下内容将基于资源的策略附加到机密管理器。
aws_iam_policy_document
Data resource and attach the same to the secrets manger创建aws_iam_policy_document
数据资源并将其附加到机密管理器aws_secretsmanager_secret_policy
for a secrets manager.使用aws_secretsmanager_secret_policy
为机密管理器创建策略。 I remember the older versions of the provider for eg 2.7 did not had aws_secretsmanager_secret_policy
and we had to use the data resource to attach policy to the secrets manager.我记得旧版本的提供程序(例如 2.7)没有aws_secretsmanager_secret_policy
,我们不得不使用数据资源将策略附加到秘密管理器。 Now the latest version supports both.现在最新版本支持两者。
What is the benefit of using the aws_secretsmanager_secret_policy
over aws_iam_policy_document
and under what conditions we can choose one over the other?使用aws_secretsmanager_secret_policy
而不是aws_iam_policy_document
有什么好处,在什么条件下我们可以选择其中一个而不是另一个?
aws_secretsmanager_secret_policy
is to create a resource-based policy , whereas aws_iam_policy_document
is for identity-based policy . aws_secretsmanager_secret_policy
用于创建基于资源的策略,而aws_iam_policy_document
用于基于身份的策略。 There is a number of differences between them as explained in Identity-based policies and resource-based policies .如基于身份的策略和基于资源的策略中所述,它们之间存在许多差异。
The most common scenario where you would use a resource-based policy
is for cross-account access to your secret .使用基于resource-based policy
的最常见场景是跨账户访问您的 secret 。
I think your actual question is about setting the policy
attribute on the aws_secretsmanager_secret
resource, versus creating the policy as a separate aws_secretsmanager_secret_policy
resource.我认为您的实际问题是关于在aws_secretsmanager_secret
资源上设置policy
属性,而不是将策略创建为单独的aws_secretsmanager_secret_policy
资源。
The main reason you would use aws_secretsmanager_secret_policy
instead of setting it directly on the secret resource, is if the secret was created in different Terraform code, or perhaps completely outside of Terraform.您使用aws_secretsmanager_secret_policy
而不是直接在秘密资源上设置它的主要原因是,如果秘密是在不同的 Terraform 代码中创建的,或者可能完全在 Terraform 之外创建。 For example if you wanted to create a Terraform template to look up all your AWS secrets, and set a policy on all of them.例如,如果您想创建一个 Terraform 模板来查找您的所有 AWS 机密,并为所有这些机密设置策略。
You can use aws_iam_policy_document
with either of these.您可以将aws_iam_policy_document
与其中任何一个一起使用。 aws_iam_policy_document
is just a way to define IAM policies in Terraform code instead of embedded raw JSON strings. aws_iam_policy_document
只是在 Terraform 代码而不是嵌入的原始 JSON 字符串中定义 IAM 策略的一种方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.