Create an IAM role to read from Secrets Manager

0

Hi

I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances.

In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.

Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.

Any ideas to create the role I talk about or any other solution?

Thank you very much

malopez
已提問 4 年前檢視次數 4830 次
2 個答案
1

When you create a role for EC2 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role you should select EC2 as the service in the first screen of the IAM create role UI. This service is the one that has permission to assume the role, so you need to grant EC2 permission to assume the role in order to provide the credentials to the instance.

On the next screen where you are attaching policies to the role, you would select SecretsManagerReadWrite which grants permission for "secretsmanager:*" as well as a number of other permissions. Alternatively, if you know exactly what permissions you need on the instance, you could skip attaching a policy and write a stripped down in-line policy to provide least privileges to the instance.

AWS
已回答 4 年前
0

Ok, thanks, now is more clear.

Regards

malopez
已回答 4 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南