AWS Secrets manager resource policy access for user

I'm trying to make an AWS Secrets Manager resource to be accesed only by certain user by writing a resource policy for the Secrets Manager but I can't make it work, I have tried a policy with Allow and Deny with Principal and NotPrincipal, a Deny policy with NotPrincipal and Condition, NotArnLike with aws:SourceArn. All this configs with the arn of the user arn:aws:iam::123456789012:user/fbuccioni.

My scenario is kinda root account, 2 devops with user/policy privileges to 3rd parties and need only the root account access to the secretsmanager:GetValue action. That's why I'm trying to securize the resource instead doing separate IAM identity based policies.

How can I make it work?

Is there a default Deny policy and I have to Allow? in the aws examples have an allow condition only.

Did you also added an identity-based policy to the IAM identity to allow the access to such secret?

https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html

> By default, IAM identities don't have permission to access secrets. When authorizing access to a secret, Secrets Manager evaluates the resource-based policy attached to the secret and all identity-based policies attached to the IAM user or role sending the request.

After clarification, your goal is to restric the access to the secret manager instance to only the root account. Can you give a try to this statement?

statement {
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::<acount-number>:root"
      ]
    }
    actions = [
Your permissions here
    ]
    resources = ["*"]
    condition {
      test     = "StringLike"
      variable = "aws:PrincipalType"
      values = [
        "Account"
      ]
    }
  }

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

To make it work I have to do several tests and research but finally I got the answer.

For IAM users

I start doing the tests without the root user, so I try with an IAM user, the policy doesn't work with Principal statement in any possibly value, I have to do a Condition to make it work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AIDA1EXAMPLE2USER3ID4",
            "012345678987"
          ]
        }
      }
    }
  ]
}

being AIDA1EXAMPLE2USER3ID4 the User ID and 012345678987 the account number ID, you can retrieve the UserID with the command:

aws sts get-caller-identity

For Root account

The root account have the superpower to overpass any policy or permission, you just have to lock for everything and voila.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*"
    }
  ]
}