skip to Main Content

I have written this standalone program in PHP for EC2 Instance to read secrets from SecretsManager (EC2 Instance and Secret are in the same region). I have AWS SDK PHAR in the same folder as the program below.

<?php

 require 'aws.phar'; // Include the AWS SDK for PHP

 use AwsSecretsManagerSecretsManagerClient;
 use AwsStsStsClient;
 use AwsExceptionAwsException;
 $client = new SecretsManagerClient([
'version' => 'latest',
'region' => 'us-west-1',
]);

$result = $client->getSecretValue([
'SecretId' => 'prod/vserver/api-keys',
]);
$secretString = $result['SecretString'];

I want the EC2 Instance to retrieve the secret without providing any explicit AWS credentials. I have created a IAM Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowReadSecrets",
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:us-west-1:ACCOUNTID:secret:prod/vserver/api-keys"
    }
  ]

}

I have created a ROLE : EC2_ACCESS_SECRETSMANAGER and attached the Policy to the Role and the IAM Role to the EC2 Instance from where I am running the PHP Program.

But I am getting error:
Next AwsSecretsManagerExceptionSecretsManagerException: Error executing "GetSecretValue" on "https://secretsmanager.us-west-1.amazonaws.com"; AWS HTTP error: Client error: POST https://secretsmanager.us-west-1.amazonaws.com resulted in a 400 Bad Request response:
{"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/i-08 (truncated…)
AccessDeniedException (client): User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action – {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action"} in phar:///var/www/html/aws.phar/Aws/WrappedHttpHandler.php:195

, <AWS_ACCOUNT_ID> are replaced placeholder values for posting here.

2

Answers


  1. Chosen as BEST ANSWER

    I had to put in the following IAM Policy and IAM Role for this to work OK (Recall that I needed this for EC2 Instance deployed web app to access AWS SecretsManager without needing to provide any AWS Access credentials)

    IAM Policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "sts:AssumeRole",
                "secretsmanager:GetSecretValue",
                "iam:GetPolicy",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
    

    }

    and EC2 IAM Role with Trusted Entities as:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
    

    }

    PS: This is working albeit with much wider permissions and resources than what should be permitted. I will try to implement what @JasonQ-AWS has suggested to see if that works.


  2. Try attaching the following policy to your secret. This allows the specified IAM Role to access the secret, rather than coming the other way like you’ve posted.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
          },
          "Action": "secretsmanager:GetSecretValue",
          "Resource": "*"
        }
      ]
    }
    

    Don’t forget to change AccountId and EC2RoleToAccessSecrets.

    Permissions and roles can be a bit tricky, so I’d suggest you read up on it more here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search