Authenticating by using IAM Role

The IAM role authentication type allows for an IAM Instance Profile to be assumed by specifying a Role Amazon Resource Name (ARN) in addition to an access key ID and secret access key. In this authentication scenario, temporary security credentials are used to connect to AWS Secret Manager.

Procedure

  1. Log in to the Amazon AWS management console and ensure that you are connected to the relevant data center.
  2. Click Services. Then, from the Security, Identity, & Compliance menu, select IAM.
  3. From the menu, select Roles and then click Create role.
  4. Under Common use cases, select EC2. Click Next: Permissions, then click Next: Tags, and then click Next: Review.
  5. In the Role name field, enter the role name that you want to create. Example: Guardium_AWS_Secret_Manager_Role
  6. Click Create role to create the Role ARN. Your Role ARN appears in the following format: arn:aws:iam::<AWS Account ID>:instance-profile/<Role name>.
  7. Click Attach policies and then click Create policy to create three policies to integrate your Guardium® system with the AWS Secrets Manager. You can use the visual editor or JSON to add your code.
    1. Create a policy to assume role.
      Example code:
      Secret-mgr-assume-role-policy
		{
		    "Version": "2012-10-17",
		    "Statement": [
			{
			    "Sid": "VisualEditor0",
			    "Effect": "Allow",
			    "Action": "sts:AssumeRole",
			    "Resource": "arn:aws:iam::*:role/*"
			}
		    ]
		}
      Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>
    2. Create a second policy to list the secret manager service to read secrets for all resources.
      Example code: 
      Secret-mgr-read-all-secret-policy
		{
		    "Version": "2012-10-17",
		    "Statement": [
			{
			    "Sid": "VisualEditor0",
			    "Effect": "Allow",
			    "Action": "secretsmanager:GetSecretValue",
			    "Resource": "arn:aws:secretsmanager:*:01234567901:secret:*"

      In the example, 01234567901 indicates the AWS account number. The wildcard secret:* indicates that all secrets are read.

      Click Review policy and save the policy. The policy appears in the following format: arn:aws:iam::<AWS Account ID>:policy/<policy-name>

  8. Define the trust relationship for the secret user by accessing Services > Identity and Access Management (IAM) > Roles. Select the role, click Trust relationships, then click Edit trust relationship and enter the code to create a trust relationship. Example: 
    Trust relationship
		{
		  "Version": "2012-10-17",
		  "Statement": [
		    {
		      "Effect": "Allow",
		      "Principal": {
			"AWS": [
			  "arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Secret_Manager_Role",		  
			  "arn:aws:iam::01234567901:role/Test2_Guardium_AWS_Secret_Manager_Role",
			  "arn:aws:iam::01234567901:user/nameofuser",						
			],
			"Service": "ec2.amazonaws.com"
		      },
		      "Action": "sts:AssumeRole"
		    }
		  ]
		}

    In the example, 01234567901 indicates the AWS count number and nameofuser is the username that is used to login to the AWS account.

    Include the lines arn:aws:iam::01234567901:role/Test1_Guardium_AWS_Secret_Manager_Role or arn:aws:iam::01234567901:role/Test2_Guardium_AWS_Secret_Manager_Role in your code only when you use IAM instance profile and you want the roles to assume an alternate role.

    In the example, Test1_Guardium_AWS_Secret_Manager_Role and Test2_Guardium_AWS_Secret_Manager_Role are the rolenames that are allowed to assume an alternate role Guardium_AWS_Secret_Manager_Role.

    Review the code and click Update trust policy.

What to do next

Note the following information:

  • The access key ID and the secret access key for the secret user.
  • The role ARN that is created in step 6.
This information is used to configure the AWS Secrets Manager on your Guardium system.