{
  "batchgetsecretvalue": {
    "name": "BatchGetSecretValue",
    "description": "Grants permission to retrieve and decrypt a list of secrets",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "cancelrotatesecret": {
    "name": "CancelRotateSecret",
    "description": "Grants permission to cancel an in-progress secret rotation",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "createsecret": {
    "name": "CreateSecret",
    "description": "Grants permission to create a secret that stores encrypted data that can be queried and rotated",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:Name",
      "secretsmanager:Description",
      "secretsmanager:KmsKeyArn",
      "secretsmanager:KmsKeyId",
      "aws:RequestTag/${TagKey}",
      "aws:ResourceTag/${TagKey}",
      "aws:TagKeys",
      "secretsmanager:ResourceTag/tag-key",
      "secretsmanager:AddReplicaRegions",
      "secretsmanager:ForceOverwriteReplicaSecret"
    ],
    "dependentActions": []
  },
  "deleteresourcepolicy": {
    "name": "DeleteResourcePolicy",
    "description": "Grants permission to delete the resource policy attached to a secret",
    "accessLevel": "Permissions management",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "deletesecret": {
    "name": "DeleteSecret",
    "description": "Grants permission to delete a secret",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:RecoveryWindowInDays",
      "secretsmanager:ForceDeleteWithoutRecovery",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "describesecret": {
    "name": "DescribeSecret",
    "description": "Grants permission to retrieve the metadata about a secret, but not the encrypted data",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "getrandompassword": {
    "name": "GetRandomPassword",
    "description": "Grants permission to generate a random string for use in password creation",
    "accessLevel": "Read",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "getresourcepolicy": {
    "name": "GetResourcePolicy",
    "description": "Grants permission to get the resource policy attached to a secret",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "getsecretvalue": {
    "name": "GetSecretValue",
    "description": "Grants permission to retrieve and decrypt the encrypted data",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:VersionId",
      "secretsmanager:VersionStage",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "listsecretversionids": {
    "name": "ListSecretVersionIds",
    "description": "Grants permission to list the available versions of a secret",
    "accessLevel": "Read",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "listsecrets": {
    "name": "ListSecrets",
    "description": "Grants permission to list the available secrets",
    "accessLevel": "List",
    "resourceTypes": [],
    "conditionKeys": [],
    "dependentActions": []
  },
  "putresourcepolicy": {
    "name": "PutResourcePolicy",
    "description": "Grants permission to attach a resource policy to a secret",
    "accessLevel": "Permissions management",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:BlockPublicPolicy",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "putsecretvalue": {
    "name": "PutSecretValue",
    "description": "Grants permission to create a new version of the secret with new encrypted data",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "removeregionsfromreplication": {
    "name": "RemoveRegionsFromReplication",
    "description": "Grants permission to remove regions from replication",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "replicatesecrettoregions": {
    "name": "ReplicateSecretToRegions",
    "description": "Grants permission to convert an existing secret to a multi-Region secret and begin replicating the secret to a list of new regions",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion",
      "secretsmanager:AddReplicaRegions",
      "secretsmanager:ForceOverwriteReplicaSecret"
    ],
    "dependentActions": []
  },
  "restoresecret": {
    "name": "RestoreSecret",
    "description": "Grants permission to cancel deletion of a secret",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "rotatesecret": {
    "name": "RotateSecret",
    "description": "Grants permission to start rotation of a secret",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:RotationLambdaARN",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion",
      "secretsmanager:ModifyRotationRules",
      "secretsmanager:RotateImmediately"
    ],
    "dependentActions": []
  },
  "stopreplicationtoreplica": {
    "name": "StopReplicationToReplica",
    "description": "Grants permission to remove the secret from replication and promote the secret to a regional secret in the replica Region",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "tagresource": {
    "name": "TagResource",
    "description": "Grants permission to add tags to a secret",
    "accessLevel": "Tagging",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "aws:RequestTag/${TagKey}",
      "aws:TagKeys",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "untagresource": {
    "name": "UntagResource",
    "description": "Grants permission to remove tags from a secret",
    "accessLevel": "Tagging",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "aws:TagKeys",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "updatesecret": {
    "name": "UpdateSecret",
    "description": "Grants permission to update a secret with new metadata or with a new version of the encrypted data",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:Description",
      "secretsmanager:KmsKeyArn",
      "secretsmanager:KmsKeyId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "updatesecretversionstage": {
    "name": "UpdateSecretVersionStage",
    "description": "Grants permission to move a stage from one secret to another",
    "accessLevel": "Write",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:VersionStage",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  },
  "validateresourcepolicy": {
    "name": "ValidateResourcePolicy",
    "description": "Grants permission to validate a resource policy before attaching policy",
    "accessLevel": "Permissions management",
    "resourceTypes": [
      {
        "name": "Secret",
        "required": true,
        "conditionKeys": [],
        "dependentActions": []
      }
    ],
    "conditionKeys": [
      "secretsmanager:SecretId",
      "secretsmanager:resource/AllowRotationLambdaArn",
      "secretsmanager:ResourceTag/tag-key",
      "aws:ResourceTag/${TagKey}",
      "secretsmanager:SecretPrimaryRegion"
    ],
    "dependentActions": []
  }
}