By using AWS re:Post, you agree to the Terms of Use

Access Control in Secrets Manager for Federated Users

0

My scenario: I have my users in Azure AD. This is connected to AWS Single Account SSO into an AWS Account using IAM SAML IDP (PS: we are not using AWS SSO Service). We are using AWS Secrets Manager and want to store per user secret using a secret name path (eg /usersecrets/<azure_ad_username>/<secret_name> When the users login using Azure AD auth, they automatically assume the IAM Role attached. I would like to do the following:

Requirement1:

  1. Allow users to list secrets, create secrets and get secret value for any secret which has a name /usersecrets/<azure_ad_username>/* (here the azure_ad_username is what AWS session sees when the assume role to login)
  2. Deny access to any secret unless the request is coming from Federated user (i.e local IAM users in AWS account should not be able to see any secret in path /usersecrets/<azure_ad_username>/*

Requirement2: In addition to the federates Azure AD users, I also want to allow a EC2 Instance Role to be able to Get/List/Describe any secret. This EC2 role is in same AWS account where secrets are and is attached to all Windows Servers. This IAM role is to allow SSM Run commands to execute on these Windows machines and fetch the secrets values (eg, to get the secret of a user and create a local windows user with same name and password as it is in secret manager using powershell.

Questions: Can you help with some sample IAM Policy for the role or the secret manager resource policy I can use to meet both the requirements?

1 Answer
1

You can use the concept of a Token Vending Machine (see here to create dynamic policies for users when you federate it.

For the EC2 Role, see examples here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

profile picture
answered 8 months ago
profile picture
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions