Create an IAM role to read from Secrets Manager

0

Hi

I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances.

In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.

Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.

Any ideas to create the role I talk about or any other solution?

Thank you very much

malopez
질문됨 4년 전4004회 조회
2개 답변
1

When you create a role for EC2 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role you should select EC2 as the service in the first screen of the IAM create role UI. This service is the one that has permission to assume the role, so you need to grant EC2 permission to assume the role in order to provide the credentials to the instance.

On the next screen where you are attaching policies to the role, you would select SecretsManagerReadWrite which grants permission for "secretsmanager:*" as well as a number of other permissions. Alternatively, if you know exactly what permissions you need on the instance, you could skip attaching a policy and write a stripped down in-line policy to provide least privileges to the instance.

AWS
답변함 4년 전
0

Ok, thanks, now is more clear.

Regards

malopez
답변함 4년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인