1. Answers
  2. Accessing AWS Secrets Manager from an EC2 instance with IAM roles

How do I access AWS Secrets Manager from an EC2 instance with IAM roles?

In this guide, we will create an EC2 instance with an IAM role that has permissions to access AWS Secrets Manager. This setup allows the instance to securely retrieve secrets from Secrets Manager without embedding credentials in the instance.

Key Points

  • Create an IAM role with a policy allowing access to AWS Secrets Manager.
  • Attach the IAM role to an EC2 instance.
  • Use the IAM role to access secrets from the instance.

Steps

  1. Define an IAM role with a policy that grants read access to Secrets Manager.
  2. Create an EC2 instance and attach the IAM role to it.
  3. Use the EC2 instance to access secrets from Secrets Manager.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM role with a policy to access Secrets Manager
const role = new aws.iam.Role("ec2Role", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "ec2.amazonaws.com" }),
});

const policy = new aws.iam.RolePolicy("secretsManagerPolicy", {
    role: role.id,
    policy: pulumi.output({
        Version: "2012-10-17",
        Statement: [{
            Action: [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
            ],
            Effect: "Allow",
            Resource: "*", // You could specify a specific secret ARN here
        }],
    }),
});

// Create an instance profile for the IAM role
const instanceProfile = new aws.iam.InstanceProfile("ec2InstanceProfile", {
    role: role.name,
});

// Create a security group for the EC2 instance
const securityGroup = new aws.ec2.SecurityGroup("web-secgrp", {
    description: "Enable HTTP access",
    ingress: [
        { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
    ],
});

// Create an EC2 instance with the IAM role attached
const ami = aws.ec2.getAmi({
    filters: [{
        name: "name",
        values: ["amzn2-ami-hvm-*-x86_64-gp2"],
    }],
    mostRecent: true,
    owners: ["137112412989"], // Amazon
});

const instance = new aws.ec2.Instance("web-server", {
    instanceType: "t2.micro",
    securityGroups: [securityGroup.name],
    ami: ami.then(ami => ami.id),
    iamInstanceProfile: instanceProfile.name,
    userData: `#!/bin/bash
    yum install -y aws-cli
    aws secretsmanager get-secret-value --secret-id <your-secret-id> --region <your-region>`,
});

export const instancePublicIp = instance.publicIp;
export const instancePublicDns = instance.publicDns;

Summary

In this guide, we created an IAM role with permissions to access AWS Secrets Manager. We then attached this role to an EC2 instance, allowing the instance to securely retrieve secrets from Secrets Manager. This method ensures that sensitive information is not hardcoded into the instance, enhancing security.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up