Available in VPC
You can set different access permissions for Secret Manager using NAVER Cloud Platform's Sub Account service. Sub Account offers system-managed (System Managed) policies to help you configure management and operation permissions.
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account on the NAVER Cloud Platform portal and the Sub Account user guide.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Secret Manager. Here are the available system-managed policies for Secret Manager:
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Full access to all services, same as the main account |
| NCP_INFRA_MANAGER | Access to all NAVER Cloud Platform services, except the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_FINANCE_MANAGER | Access to Cost Explorer and the My Account > Pricing information and cost management > Billing and payment management menu on the console |
| NCP_SECRETMANAGER_USER | Access to the Secret Manager console and the view feature only |
| Full access to all features of | NCP_SECRETMANAGER_MANAGER |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Secret Manager:
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.
Secret action
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | getSecretList | - | Secret Manager | View list of secrets. | |
| View | getSecretDetail | View/getSecretList | Secret | Secret Manager | View secret details. |
| View | getSecretLogs | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | View secret usage log. |
| View | getSecretValue | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | View secret chain value. |
| Change | createSecret | View/getSecretList, View/getProtectionKeyList, View/getProtectionKeyDetail, View/getRotationTriggerList, View/getRotationTriggerDetail | - | Secret Manager | Create new secret. |
| Change | deleteSecret | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Delete secret immediately. This action cannot be reversed. |
| Change | enableSecret | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Switch secret to be available. |
| Change | disableSecret | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Switch secret to be disabled. |
| Change | requestSecretDeletion | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Switch secret to deletion pending status. |
| Change | cancelSecretDeletion | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Release deletion pending status of secret and switch it to be disabled. |
| Change | updateSecretMemo | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Edit secret memos. |
| Change | updateProtectionKey | View/getSecretList, View/getSecretDetail, View/getProtectionKeyList, View/getProtectionKeyDetail | Secret | Secret Manager | Re-encrypt by changing secret protection key. |
| Change | updateRotationTrigger | View/getSecretList, View/getSecretDetail, View/getRotationTriggerList, View/getRotationTriggerDetail | Secret | Secret Manager | Change secret rotation trigger. |
| Change | deleteRotationTrigger | View/getSecretList, View/getSecretDetail. View/getRotationTriggerDetail | Secret | Secret Manager | Release secret rotation trigger. |
| Change | updateSecretValue | View/getSecretList, View/getSecretDetail, View/getSecretValue | Secret | Secret Manager | Change secret chain value. |
| Change | enableAutoRotation | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Enable automatic secret rotation. |
| Change | disableAutoRotation | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Disable automatic secret rotation. |
| Change | updateAutoRotationPeriod | View/getSecretList, View/getSecretDetail | Secret | Secret Manager | Change secret auto rotation period. |
| Change | executeRotation | View/getSecretList, View/getSecretDetail, View/getSecretValue | Secret | Secret Manager | Execute secret rotation action. |
| Change | retryRotation | View/getSecretList, View/getSecretDetail, View/getSecretValue | Secret | Secret Manager | Re-execute the rotation for a secret in failed rotation status. |
| Change | rollbackRotation | View/getSecretList, View/getSecretDetail, View/getSecretValue | Secret | Secret Manager | Roll back a completed secret rotation to restore the previous state. |
| Change | cancelRotation | View/getSecretList, View/getSecretDetail, View/getSecretValue | Secret | Secret Manager | Stop a secret operation that has not yet completed. |
| Change | subscribeProduct | - | - | Secret Manager | Subscribe to Secret Manager. |
| Change | unsubscribeProduct | - | - | Secret Manager | Unsubscribe from Secret Manager. |
Secret protection key action
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | getProtectionKeyList | KMS:View/getKeyList | - | Key Management Service | View list of secret protection keys. |
| View | getProtectionKeyDetail | View/getProtectionKeyList, KMS:View/getKeyInfo, KMS:Change/createKeySubscription | Key | Key Management Service | View secret protection key details. |
Secret rotation trigger action
| Type | Action name | Related action | Resource type | Group by resource type | Action description |
|---|---|---|---|---|---|
| View | getRotationTriggerList | - | Cloud Functions | View list of triggers that can be designated as secret rotation triggers. | |
| View | getRotationTriggerDetail | View/getRotationTriggerList | Trigger | Cloud Functions | View details of triggers that can be designated as secret rotation triggers. |
| View | getRotationActionList | - | Cloud Functions | View list of secret rotation actions. | |
| View | getRotationActionDetail | View/getRotationActionList | Action | Cloud Functions | View secret rotation action details. |
| Change | createRotationTrigger | View/getRotationActionList, View/getRotationActionDetail | - | Cloud Functions | Create secret rotation trigger. |