# Secrets Manager

{% hint style="info" %}

* Secrets Manager objects are commonly encrypted with KMS keys. If you don't have the `kms:Decrypt` permission on the encryption key, you won't be able to retrieve the secret.
* However, if you have [kms:PutKeyPolicy](https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/permissions-abuse-1#kms-putkeypolicy) permissions then you can grant yourself access to the encryption key
  {% endhint %}

## secretsmanager:PutResourcePolicy

* With access to this action, you can attach a resource-based permission policy to a secret, effectively giving yourself whatever access you want.

{% code overflow="wrap" %}

```bash
aws secretsmanager put-resource-policy --secret-id <secretId> --resource-policy file://secrets-policy.json 
```

{% endcode %}

{% code overflow="wrap" %}

```json
# sample resource policy for secret

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/<userName>"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
        }
    ]
}
```

{% endcode %}