Secret access policies
Access policies add optional rules on top of IAM for getSecretValue and putSecretValue. Metadata, list, delete, and destroy-version operations are not gated by the policy.
Condition types
| Type | Behaviour |
|---|---|
| IP | Allow or deny based on client IP (supports CIDR). Uses X-Forwarded-For, X-Real-IP, then connection address |
| Time | Allow only during specified hours (startHour–endHour, IANA timezone; supports overnight windows) |
Evaluation order
Evaluation follows the same order as IAM policy conditionals:
- If any denied condition matches → reject (
403) - If allowed conditions are present, at least one must match → otherwise reject
- No policy → IAM only
Set or update a policy
PUT /v1/secrets/{region}/secret/app/production/db/password/policyExample with IP allow and time window:
curl -s -X PUT \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"accessPolicy": {
"conditions": [
{
"type": "ip",
"effect": "allow",
"cidrs": ["10.0.0.0/8", "192.168.1.0/24"]
},
{
"type": "time",
"effect": "allow",
"startHour": 8,
"endHour": 18,
"timezone": "Europe/Amsterdam"
}
]
}
}' \
https://api.thalassa.cloud/v1/secrets/nl-01/secret/app/production/db/password/policyYou can also set accessPolicy at secret creation time.
Clear a policy
Send "accessPolicy": null to remove all access policy rules:
curl -s -X PUT \
-H "Authorization: Bearer $TOKEN" \
-H "X-Organisation-Identity: $ORG_ID" \
-H "Content-Type: application/json" \
-d '{"accessPolicy": null}' \
https://api.thalassa.cloud/v1/secrets/nl-01/secret/app/production/db/password/policyUse cases
| Scenario | Policy pattern |
|---|---|
| Secrets accessed only from a VPC | IP allow with your VPC CIDR ranges |
| Human-operated break-glass secrets | Time window during business hours |
| Deny access from known bad networks | IP deny with specific CIDRs |
Access policies complement IAM — they do not replace it. Principals still need the appropriate IAM permissions.
Permissions
Setting or clearing an access policy requires the update permission on the secret path. See Access control.
Audit
Policy changes emit secrets.update_policy audit events. See Audit log.
Related documentation
- Access control — IAM permissions evaluated before access policies
- Best practices — When to use IP and time restrictions
- Reading and updating values — Operations gated by policy