1. Answers
  2. Accessing AWS Secrets Manager from an EC2 instance with IAM roles

How Do I Access AWS Secrets Manager From an EC2 Instance With IAM Roles?

Introduction

This guide provides a step-by-step approach to accessing AWS Secrets Manager from an EC2 instance using IAM roles. By following these instructions, you will be able to securely retrieve secrets from Secrets Manager without embedding credentials directly into your instance. This enhances security by leveraging IAM roles to manage permissions and access.

Key Points

  • Create an IAM role with a policy allowing access to AWS Secrets Manager.
  • Attach the IAM role to an EC2 instance.
  • Use the IAM role to access secrets from the instance.

Steps

  1. Define an IAM Role: Create an IAM role with a policy that grants read access to AWS Secrets Manager.
  2. Create and Configure EC2 Instance: Launch an EC2 instance and attach the IAM role to it.
  3. Access Secrets: Use the EC2 instance to retrieve secrets from Secrets Manager.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM role with a policy to access Secrets Manager
const role = new aws.iam.Role("ec2Role", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "ec2.amazonaws.com" }),
});

const policy = new aws.iam.RolePolicy("secretsManagerPolicy", {
    role: role.id,
    policy: pulumi.output({
        Version: "2012-10-17",
        Statement: [{
            Action: [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
            ],
            Effect: "Allow",
            Resource: "*", // You could specify a specific secret ARN here
        }],
    }),
});

// Create an instance profile for the IAM role
const instanceProfile = new aws.iam.InstanceProfile("ec2InstanceProfile", {
    role: role.name,
});

// Create a security group for the EC2 instance
const securityGroup = new aws.ec2.SecurityGroup("web-secgrp", {
    description: "Enable HTTP access",
    ingress: [
        { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
    ],
});

// Create an EC2 instance with the IAM role attached
const ami = aws.ec2.getAmi({
    filters: [{
        name: "name",
        values: ["amzn2-ami-hvm-*-x86_64-gp2"],
    }],
    mostRecent: true,
    owners: ["137112412989"], // Amazon
});

const instance = new aws.ec2.Instance("web-server", {
    instanceType: "t2.micro",
    securityGroups: [securityGroup.name],
    ami: ami.then(ami => ami.id),
    iamInstanceProfile: instanceProfile.name,
    userData: `#!/bin/bash
    yum install -y aws-cli
    aws secretsmanager get-secret-value --secret-id <your-secret-id> --region <your-region>`,
});

export const instancePublicIp = instance.publicIp;
export const instancePublicDns = instance.publicDns;

Summary

In this guide, we successfully created an IAM role with the necessary permissions to access AWS Secrets Manager and attached it to an EC2 instance. This setup allows the instance to securely retrieve secrets from Secrets Manager without embedding sensitive information directly into the instance, thereby enhancing security and maintaining best practices for credential management.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up