Create an IAM role to read from Secrets Manager

0

Hi

I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances.

In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.

Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.

Any ideas to create the role I talk about or any other solution?

Thank you very much

malopez
gefragt vor 4 Jahren4855 Aufrufe
2 Antworten
1

When you create a role for EC2 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role you should select EC2 as the service in the first screen of the IAM create role UI. This service is the one that has permission to assume the role, so you need to grant EC2 permission to assume the role in order to provide the credentials to the instance.

On the next screen where you are attaching policies to the role, you would select SecretsManagerReadWrite which grants permission for "secretsmanager:*" as well as a number of other permissions. Alternatively, if you know exactly what permissions you need on the instance, you could skip attaching a policy and write a stripped down in-line policy to provide least privileges to the instance.

AWS
beantwortet vor 4 Jahren
0

Ok, thanks, now is more clear.

Regards

malopez
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen