Create an IAM role to read from Secrets Manager

Question

Hi  
  
I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances.  
  
In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.  
  
Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.  
  
Any ideas to create the role I talk about or any other solution?  
  
Thank you very much

Answer

When you create a  role for EC2   you should select EC2 as the service in the first screen of the IAM create role UI. This service is the one that has permission to assume the role, so you need to grant EC2 permission to assume the role in order to provide the credentials to the instance.  
  
On the next screen where you are attaching policies to the role, you would select SecretsManagerReadWrite which grants permission for "secretsmanager:*" as well as a number of other permissions. Alternatively, if you know exactly what permissions you need on the instance, you could skip attaching a policy and write a stripped down in-line policy to provide least privileges to the instance.

Answer

Ok, thanks, now is more clear.  
  
Regards

Create an IAM role to read from Secrets Manager

Relevanter Inhalt