Help with Secret Manager Auth

0

I'm in the process of setting up the AWS Secret Manager for application access. The part I'm stuck on is the authentication from the application to the Secret Manager. This appears to be restricted to individuals (users) with AWS accounts. I'd like to let the application have access, but not the engineers. A few questions.

  1. Do I need to setup an application user?
  2. Is there a token-based access method or better way of handling this without giving users direct access to retrieve from the vault?
  3. Do I have to setup a non-secret layer of the vault that engineers can develop against and then swap out the credentials at build time?

If I'm way off base, I'd appreciate a good walkthrough of the proper way to set this up so that engineers don't have access to secrets, but the application can access secrets in various environments (e.g. DEV, QA, INT, PROD). Thanks for the help!

2 Answers
1
Accepted Answer

It looks like AWS offers 3 options.

  1. Grant a user direct access to the vault.
  2. Grant an EC2 direct access to the vault.
  3. Grant a function direct access to the vault.

None of these were my first choice since it's an MVC website being developed locally and then simply being hosted on an EC2 afterwards. I also didn't want the engineers having direct access to the vault. However, due to the above limitations, I'll have to rework the vault to have a lower "unprivileged" layer, an upper "privileged" layer and then grant engineers access to the lower layer.

answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile picture
EXPERT
reviewed 5 months ago
1

Hello.

For example, how about setting the following resource-based policy to the SecretsManager secret?
If you set a resource-based policy like the one below, it will only be accessible from AWS resources that have the IAM user or IAM role for the ARN set in "aws:PrincipalArn".
https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:ap-northeast-1:111111111111:secret:test/SecretID"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::111111111111:role/lambda-role-name",
                        "arn:aws:iam::111111111111:role/EC2-IAM-Role",
                        "arn:aws:iam::111111111111:user/IAM-user-name"
                    ]
                }
            }
        }
    ]
}
profile picture
EXPERT
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions