Need help on .ebextension file for Domain Join EC2 instance via Secret Manager


I am using Elastic Beanstalk .ebextension file to join the Windows EC2 the into Domain. I have stored my credentials in AWS Secret Manager. Is it mandatory to use Access ID / Access Key to access AWS Secret Manager from Windows EC2 instance ?

If Yes, then how can I secure my Access ID / Access Key on the script.

1 Answer

IAM Access Keys are not required to access AWS Secrets Manager from a Windows EC2 Instance. In fact, IAM roles are always recommended over using Access Keys where possible because they allow for the use of temporary credentials and eliminate the need for securing long-lived access codes. In Elastic Beanstalk, each instance in an environment is assigned an IAM role (more precisely, it is assigned an Instance Profile that contains an IAM role). Most tools that use the official AWS SDKs such as the AWS CLI and AWS Tools for Powershell will automatically recognize and use the credentials from the IAM role associated with the instance.

To allow your instance to retrieve credentials to join your domain from AWS Secrets Manager, you can either a) add the necessary Secrets Manager permissions to the default instance profile or b) create a custom role and instance profile with the correct permissions and update the assigned instance profile of your Elastic Beanstalk environment. To update the role in the console, first go to "Configuration" page for your Elastic Beanstalk environment. Then, under "Service access", click "Edit". Update the assigned "EC2 Instance Profile". When creating a new custom role, be sure to also apply the necessary managed policies to ensure your instance continues to work with Elastic Beanstalk. More information on the required policies and instance profile in Elastic Beanstalk can be found on this page of the AWS Documentation website (

After setting up the necessary permissions on the IAM role associated with your Elastic Beanstalk instances, you should be able to access Secrets Manager from scripts in .ebextension files without explicitly configuring any credentials. If you are using custom tooling that does not automatically detect the instance profile credentials, you can access them via the Instance Metadata endpoint on your instance (see

profile pictureAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions