secretsmanager:GetSecretValue

Literal appearances in AWS managed IAM policies. Statements that use wildcards (for example s3:*) are not counted here. This is not an IAM authorization simulation.

Policies (any)

Allow (Action)

Deny (Action)

NotAction

Index generated 4/7/2026, 3:29:24 AM. 559 policies include at least one wildcard action string (any service).

Action reference

SAR-style (unofficial)

Service: AWS Secrets Manager

Access level

Read

Description

Grants permission to retrieve and decrypt the encrypted data

Resource types

Secret*

Allow (Action)

AWSDataSyncDiscoveryServiceRolePolicy
AWSDataSyncServiceRolePolicy
AWSDirectConnectServiceRolePolicy
AWSEC2SqlHaInstancePolicy
AWSECRPullThroughCache_ServiceRolePolicy
AWSGlueDataBrewServiceRole
AWSGreengrassResourceAccessRolePolicy
AWSLicenseManagerLinuxSubscriptionsServiceRolePolicy
AWSLicenseManagerUserSubscriptionsServiceRolePolicy
AWSMigrationHubOrchestratorInstanceRolePolicy
AWSMigrationHubOrchestratorPlugin
AWSMigrationHubStrategyCollector
AWSOpsWorksCMInstanceProfileRole
AWSOpsWorksCMServiceRole
AWSPCSServiceRolePolicy
AWSPanoramaFullAccess
AWSPanoramaServiceLinkedRolePolicy
AWSSecretsManagerClientReadOnlyAccess
AWSServiceRoleForAWSTransform
AWSThinkboxAWSPortalGatewayPolicy
AWSTransformSecretsManagerConnectorPolicy
AWSVPCS2SVpnServiceRolePolicy
AlexaForBusinessDeviceSetup
AlexaForBusinessFullAccess
AlexaForBusinessNetworkProfileServicePolicy
AmazonBedrockStudioPermissionsBoundary
AmazonDataZoneRedshiftGlueProvisioningPolicy
AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
AmazonDocDBElasticFullAccess
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
AmazonEKSLocalOutpostClusterPolicy
AmazonEVSServiceRolePolicy
AmazonEventBridgeApiDestinationsServiceRolePolicy
AmazonEventBridgeFullAccess
AmazonEverestServicePolicy
AmazonGrafanaRedshiftAccess
AmazonLaunchWizardFullAccessV2
AmazonLaunchWizard_Fullaccess
AmazonRDSCustomInstanceProfileRolePolicy
AmazonRDSDataFullAccess
AmazonRedshiftAllCommandsFullAccess
AmazonRedshiftDataFullAccess
AmazonRedshiftFullAccess
AmazonRedshiftQueryEditor
AmazonRedshiftQueryEditorV2FullAccess
AmazonRedshiftQueryEditorV2NoSharing
AmazonRedshiftQueryEditorV2ReadSharing
AmazonRedshiftQueryEditorV2ReadWriteSharing
AmazonSageMakerCanvasDataPrepFullAccess
AmazonSageMakerCanvasFullAccess
AmazonSageMakerFullAccess
AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy
AmazonSecurityLakeAdministrator
AppStudioServiceRolePolicy
AwsGlueDataBrewFullAccessPolicy
BedrockAgentCoreFullAccess
CloudWatchEventsFullAccess
DBModProvisioningAndMigration
ROSAInstallerPolicy
SageMakerStudioAdminIAMDefaultExecutionPolicy
SageMakerStudioAdminIAMPermissiveExecutionPolicy
SageMakerStudioBedrockFunctionExecutionRolePolicy
SageMakerStudioProjectProvisioningRolePolicy
SageMakerStudioProjectUserRolePermissionsBoundary
SageMakerStudioProjectUserRolePolicy
SageMakerStudioUserIAMDefaultExecutionPolicy
SageMakerStudioUserIAMPermissiveExecutionPolicy

Deny (Action)

None

NotAction

AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
SageMakerStudioProjectUserRolePermissionsBoundary

Thanks to Ian McKay for iam-dataset (MIT), structured data derived from the AWS Service Authorization Reference. Not maintained by AWS and not guaranteed current. IAMTrail's managed policy archive is separate.

Definitions bundle generated 4/7/2026, 3:29:24 AM