AWS Security ChangesHomeSearch

AWS secretsmanager documentation change

Service: secretsmanager · 2025-08-28 · Documentation medium

File: secretsmanager/latest/userguide/integrating_gitlab.md

Summary

Added detailed IAM role trust policy and secrets access policy examples for GitLab integration

Security assessment

Provides explicit security documentation for secure role assumption and secret access patterns, improving security configuration guidance without addressing specific vulnerabilities.

Diff

diff --git a/secretsmanager/latest/userguide/integrating_gitlab.md b/secretsmanager/latest/userguide/integrating_gitlab.md
index 905ea6d49..25a81441f 100644
--- a//secretsmanager/latest/userguide/integrating_gitlab.md
+++ b//secretsmanager/latest/userguide/integrating_gitlab.md
@@ -49 +49 @@ You'll need to create an IAM role and policy. This role is assumed by GitLab wit
-    2. You'll also need to create an IAM policy to allow GitLab access to AWS Secrets Manager. You can add this policy to your trust policy. For more information, see [Create IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).
+    2. The following is an example of a trust policy that allows GitLab to assume roles. Your trust policy should list your AWS account, GitLab URL, and [project path](https://docs.gitlab.com/user/project/).
@@ -51 +51,32 @@ You'll need to create an IAM role and policy. This role is assumed by GitLab wit
-Show moreShow less
+****
+    
+        
+                {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::111122223333:oidc-provider/gitlab.example.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "gitlab.example.com:aud": [
+                    "sts.amazon.com"
+                  ]
+                },
+                "StringLike": {
+                  "gitlab.example.com:sub": [
+                    "project_path:mygroup/project-*:ref_type:branch-*:ref:main*"
+                  ]
+                }
+              }
+            }
+          ]
+        }
+        
+
+    3. You'll also need to create an IAM policy to allow GitLab access to AWS Secrets Manager. You can add this policy to your trust policy. For more information, see [Create IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).
+
+****
@@ -53,0 +85,10 @@ Show moreShow less
+                {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "secretsmanager:GetSecretValue",
+              "Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:your-secret"
+            }
+          ]
+        }
@@ -55,0 +97,5 @@ Show moreShow less
+
+
+
+Show moreShow less
+