Create a role to read from AWS Secrets Manager

Question

I use AWS Secrets Manager to store passwords which I need to read from services launched in my EC2 instances.

In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service.

Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances.

Any ideas to create the role I talk about or any other solution?

Thank you very much

score 0 · Answer 1 · answered Aug 31 '20 at 12:26

This might help in building the role policy you want: AWS Policy Generator

Sample Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1598876678424",
      "Action": "secretsmanager:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]

}

score 0 · Accepted Answer · answered Aug 31 '20 at 12:53

0

Choose create policy and add the following code.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "<arn-of-the-secret-the-app-needs-to-access>"
    }
}

answered Aug 31 '20 at 12:53

Sukhjinder Singh

1,994
2
9
17

Thanks a lot, I created this policy and attached it to an already created role which I was using previously and it works. Anyway, any ideas about why I cannot create directly a role to use it with only Secrets Manager? Im simply curious. Thanks. – Rourich Aug 31 '20 at 18:25

Create a role to read from AWS Secrets Manager

2 Answers2