Create an IAM role to read from Secrets Manager

0

Hi

I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances.

In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.

Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.

Any ideas to create the role I talk about or any other solution?

Thank you very much

malopez
已提问 4 年前4859 查看次数
2 回答
1

When you create a role for EC2 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role you should select EC2 as the service in the first screen of the IAM create role UI. This service is the one that has permission to assume the role, so you need to grant EC2 permission to assume the role in order to provide the credentials to the instance.

On the next screen where you are attaching policies to the role, you would select SecretsManagerReadWrite which grants permission for "secretsmanager:*" as well as a number of other permissions. Alternatively, if you know exactly what permissions you need on the instance, you could skip attaching a policy and write a stripped down in-line policy to provide least privileges to the instance.

AWS
已回答 4 年前
0

Ok, thanks, now is more clear.

Regards

malopez
已回答 4 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则