From 7ed27bd8d93413280903d046174234ce259fd58b Mon Sep 17 00:00:00 2001
From: Marc Littlemore <MarcL@users.noreply.github.com>
Date: Mon, 27 Jan 2025 15:25:19 +0000
Subject: [PATCH] DOC-1329: Update AWS Secrets Manager docs (#2787)

Co-authored-by: Justin Ellingwood <justin@n8n.io>
---
 docs/external-secrets.md                      | 42 +++++++++++++++++--
 styles/config/vocabularies/default/accept.txt |  1 +
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/docs/external-secrets.md b/docs/external-secrets.md
index 37bd4ebc0..24b4544ef 100644
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -26,15 +26,15 @@ Your secret names can't contain spaces, hyphens, or other special characters. n8
 1. Select **Set Up** for your store provider.
 1. Enter the credentials for your provider:
 	* Azure Key Vault: Provide your **vault name**, **tenant ID**, **client ID**, and **client secret**. Refer to the Azure documentation to [register a Microsoft Entra ID app and create a service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal){:target=_blank .external-link}. n8n supports only single-line values for secrets.
-	* AWS Secrets Manager: provide your **access key ID**, **secret access key**, and **region**. The IAM user must have the `secretsmanager:ListSecrets` and `secretsmanager:BatchGetSecretValue` permissions.
+	* AWS Secrets Manager: provide your **access key ID**, **secret access key**, and **region**. The IAM user must have the `secretsmanager:ListSecrets`, `secretsmanager:BatchGetSecretValue`, and `secretsmanager:GetSecretValue` permissions.
 
-		Example policy:
+		To give n8n access to all secrets in your AWS Secrets Manager, you can attach the following policy to the IAM user:
 		```json
 		{
 			"Version": "2012-10-17",
 			"Statement": [
 				{
-					"Sid": "VisualEditor0",
+					"Sid": "AccessAllSecrets",
 					"Effect": "Allow",
 					"Action": [
 						"secretsmanager:ListSecrets",
@@ -50,6 +50,42 @@ Your secret names can't contain spaces, hyphens, or other special characters. n8
 		}
 		```
 
+		You can also be more restrictive and give n8n access to select specific AWS Secret Manager secrets. You still need to allow the `secretsmanager:ListSecrets` and `secretsmanager:BatchGetSecretValue` permissions to access all resources. These permissions allow n8n to retrieve ARN-scoped secrets, but don't provide access to the secret values.
+
+		Next, you need set the scope for the `secretsmanager:GetSecretValue` permission to the specific Amazon Resource Names (ARNs) for the secrets you wish to share with n8n. Ensure you use the correct region and account ID in each resource ARNs. You can find the ARN details in the AWS dashboard for your secrets.
+		
+		For example, the following IAM policy only allows access to secrets with a name starting with `n8n` in your specified AWS account and region:
+
+		```json
+		{
+			"Version": "2012-10-17",
+			"Statement": [
+				{
+					"Sid": "ListingSecrets",
+					"Effect": "Allow",
+					"Action": [
+						"secretsmanager:ListSecrets",
+						"secretsmanager:BatchGetSecretValue"
+					],
+					"Resource": "*"
+				},
+				{
+					"Sid": "RetrievingSecrets",
+					"Effect": "Allow",
+					"Action": [
+						"secretsmanager:GetSecretValue",
+						"secretsmanager:DescribeSecret"
+					],
+					"Resource": [
+						"arn:aws:secretsmanager:us-west-2:123456789000:secret:n8n*"
+					]
+				}
+			]
+		}
+		```
+
+		For more IAM permission policy examples, consult the [AWS documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch){:target=_blank .external-link}.
+
 	* HashiCorp Vault: provide the **Vault URL** for your vault instance, and select your **Authentication Method**.  Enter your authentication details. Optionally provide a namespace.
 		- Refer to the HashiCorp documentation for your authentication method:
 				[Token auth method](https://developer.hashicorp.com/vault/docs/auth/token){:target=_blank .external-link}  
diff --git a/styles/config/vocabularies/default/accept.txt b/styles/config/vocabularies/default/accept.txt
index fcfbc6220..76dace011 100644
--- a/styles/config/vocabularies/default/accept.txt
+++ b/styles/config/vocabularies/default/accept.txt
@@ -7,6 +7,7 @@ Airtable
 [Aa]llowlist
 Anthropic
 APIs
+ARNs
 Asana
 Atlassian
 Authentik