0

So instead of doing this (which is what I currently use to access the secrets manager service): 

AWS.config.credentials = new AWS.Credentials({
    accessKeyId: "string", 
    secretAccessKey: "string",
} )

// Create a Secrets Manager client
var secretsmanager = new AWS.SecretsManager({
    region: region,
    credentials: AWS.config.credentials
} )

I want to do something in essence like this: 

AWS.config.credentials = new AWS.Credentials({
    userARN/roleARN: "string", 
} )

Is there a way to accomplish that?

Nikola Tachev
  • 1
  • And no, I'm staying away from Lambda functions if possible. Environment is Node.js running on an ElasticBeanstalk EC2 instance – Nikola Tachev Jan 23 '20 at 03:04
  • What are you trying to do? Use the role assigned to the instance profile? You in general cannot just assume a role without any authentication. – Kevin Seaman Jan 23 '20 at 03:54
  • @KevinSeaman so I guess my question is how do I go about authenticating without explicitly writing in the accessKey and secretAccessKey, do I need to initialize a login and keep refreshing a token, or do I need to create a certificate? I'm newish to AWS so I don't know what the best practice to go about authenticating is. – Nikola Tachev Jan 23 '20 at 12:43

3 Answers3

1

In the case of running on EC2, you would typically assign a role to the EC2 instance that had the AWS permissions you need [1]. Then you can access the AWS credentials you need from the instance metadata [2][3].

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials
  3. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
Kevin Seaman
  • 652
  • 3
  • 9
0

You can't use the RoleName only for authentication.

But if you don't want to hardcode/config the secret keys you can config your AWS key on your machine and load the profile in your application (AWS SDK). in this case, the system loads the access key and secret from your machine/server aws configuration.

After installing AWS CL, you can run 'aws config' command to create a profile.

This can work on your local machine or an EC2.

Karvan
  • 250
  • 2
  • 7
0

As @KevinSeaman stated, just attach a role to your EC2 instances. The credentials are automatically installed and rotated in the EC2 instance metadata.

Furthermore, if you are using the standard amazon SDK, the SDK already knows how to fetch the credentials from the instance metadata so you just create your client and specify the region, you do not need to add any credentials. In fact if you have a long lived process, it is better to let the SDK fetch the credentials because the creds in the metadata are temporary and expire after about 6 hours. The SDK will periodically refresh the credentials from the metadata.

JoeB
  • 1,503
  • 7
  • 9