Authenticating by using IAM Role for AWS Secrets Manager
About this task
Procedure
- Log in to the Amazon AWS management console and ensure that you are connected to the relevant data center.
- Click Services. Then, from the Security, Identity, & Compliance menu, select IAM.
- From the menu, select Roles and then click Create role.
- Under Common use cases, select EC2. Click Next: Permissions, then click Next: Tags, and then click Next: Review.
- In the Role name field, enter the role name that you want to create. Example: to create role for Guardium_AWS_Secret_Manager_Role
- Click Create role to create the Role ARN. Your Role ARN appears in the following format: arn:aws:iam::<AWS Account ID>:instance-profile/<Role name>.
- Click Attach policies and then click Create
policy to create three policies to integrate your Guardium®
system with the AWS Secrets Manager. You can use
the visual editor or JSON to add your code.
- Create a policy to assume role.Example code:
Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>Secret-mgr-assume-role-policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/*" } ] }
- Create a second policy to list the secret manager service to read secrets for all
resources.Example code:
Secret-mgr-read-all-secret-policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:01234567901:secret:*"
In the example, 01234567901 indicates the AWS account number. The wildcard secret:* indicates that all secrets are read.
Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>
- Create a policy to assume role.
- Define the trust relationship for the secret user by accessing
Services > Identity and Access Management
(IAM) > Roles. Select the role, click Trust
relationships, then click Edit trust relationship and enter the
code to create a trust relationship. Example:
Trust relationship { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Secret_Manager_Role", "arn:aws:iam::01234567901:role/Test2_Guardium_AWS_Secret_Manager_Role", "arn:aws:iam::01234567901:user/nameofuser", ], "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
In the example, 01234567901 indicates the AWS count number and nameofuser is the username that is used to login to the AWS account.
Include the lines arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Secret_Manager_Role or arn:aws:iam::01234567901:role/Test2_Guardium_AWS_Secret_Manager_Role in your code only when you use IAM instance profile and you want the roles to assume an alternate role.
In the example, Test1_Guardium_AWS_Secret_Manager_Role and Test2_Guardium_AWS_Secret_Manager_Role are the rolenames that are allowed to assume an alternate role Guardium_AWS_Secret_Manager_Role.
Review the code and click Update trust policy.
What to do next
Note the following information:
- The access key ID and the secret access key for the secret user.
- The role ARN that is created in step 6.