0

I have written this standalone program in PHP for EC2 Instance to read secrets from SecretsManager (EC2 Instance and Secret are in the same region). I have AWS SDK PHAR in the same folder as the program below.

<?php

 require 'aws.phar'; // Include the AWS SDK for PHP

 use Aws\SecretsManager\SecretsManagerClient;
 use Aws\Sts\StsClient;
 use Aws\Exception\AwsException;
 $client = new SecretsManagerClient([
'version' => 'latest',
'region' => 'us-west-1',
]);

$result = $client->getSecretValue([
'SecretId' => 'prod/vserver/api-keys',
]);
$secretString = $result['SecretString'];

I want the EC2 Instance to retrieve the secret without providing any explicit AWS credentials. I have created a IAM Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowReadSecrets",
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:us-west-1:ACCOUNTID:secret:prod/vserver/api-keys"
    }
  ]

}

I have created a ROLE : EC2_ACCESS_SECRETSMANAGER and attached the Policy to the Role and the IAM Role to the EC2 Instance from where I am running the PHP Program.

But I am getting error: Next Aws\SecretsManager\Exception\SecretsManagerException: Error executing "GetSecretValue" on "https://secretsmanager.us-west-1.amazonaws.com"; AWS HTTP error: Client error: POST https://secretsmanager.us-west-1.amazonaws.com resulted in a 400 Bad Request response: {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/i-08 (truncated...) AccessDeniedException (client): User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action - {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action"} in phar:///var/www/html/aws.phar/Aws/WrappedHttpHandler.php:195

, <AWS_ACCOUNT_ID> are replaced placeholder values for posting here.

Improve this question

2 Answers 2

Reset to default
0

Try attaching the following policy to your secret. This allows the specified IAM Role to access the secret, rather than coming the other way like you've posted.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

Don't forget to change AccountId and EC2RoleToAccessSecrets.

Permissions and roles can be a bit tricky, so I'd suggest you read up on it more here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you @JasonQ-AWS for your solution, I will try to implement it and see if it works fine.
0

I had to put in the following IAM Policy and IAM Role for this to work OK (Recall that I needed this for EC2 Instance deployed web app to access AWS SecretsManager without needing to provide any AWS Access credentials)

IAM Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "iam:PassRole",
            "sts:AssumeRole",
            "secretsmanager:GetSecretValue",
            "iam:GetPolicy",
            "sts:GetCallerIdentity"
        ],
        "Resource": "*"
    }
]

}

and EC2 IAM Role with Trusted Entities as:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

}

PS: This is working albeit with much wider permissions and resources than what should be permitted. I will try to implement what @JasonQ-AWS has suggested to see if that works.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.