Hi, I'm Ask INFA!
What would you like to know?
ASK INFAPreview
Please to access Ask INFA.
Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Administrator
  • All Products

Table of Contents

Search

  1. Preface
  2. Introducing Administrator
  3. Organizations
  4. Metering
  5. General and security settings
  6. Permissions
  7. Schedules
  8. Bundle management
  9. Event monitoring
  10. Troubleshooting security
  11. Licenses

Organization Administration

Organization Administration

Back Next

Cross-account access configuration for AWS Secrets Manager

Cross-account access configuration for AWS Secrets Manager

If the AWS account that hosts your secrets differs from the account that hosts the Secure Agent, you'll need to set up both accounts for cross-account access.
When you configure a connection to use a secrets manager, you choose the runtime environment for the connnection. If the runtime environment contains a Secure Agent that is hosted within an AWS account and this account differs from the account that hosts the secrets, you need to configure cross-account access. Configure cross-account access so that the Secure Agent can access the secrets.
To configure cross-account access, the resource that hosts the secrets needs to be in the same region as the region you choose when you enable your organization to use a secrets manager. For more information about enabling your organization to use a secrets manager, see Enabling and disabling a secrets manager.

Step 1. Set up the account that hosts the secrets.

To set up the account that hosts the secrets, you need to create a customer-managed KMS key, encrypt the secret using the key, and attach a resource policy to the secret. You can't use the AWS managed key for cross-account access.
Perform the following steps:
  1. Create the KMS key by performing the following steps:
    1. Log in to the AWS Management Console, and search for "Key Management Service" or "KMS."
    2. Navigate to
      Customer Managed Keys
      .
    3. Create a new customer-managed key that has the following properties:
      Property
      Value
      Key type
      Symmetric
      Key usage
      Encrypt and Decrypt
      Key administrators
      Select the IAM users or roles that will manage the key.
      Key users
      Select the IAM users or roles that will use the key to encrypt and decrypt secrets.
    4. Configure the following key policy to allow access to the IAM role in the account that hosts the Secure Agent:
      {
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<Secure Agent account>:role/EC2SecretReadOnly"
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
  2. Encrypt the secret in this account using the customer-managed key as shown in the following image, and click
    Save
    :
    The image shows the AWS "Edit encryption key" dialog box for a secret. The customer-managed key is selected in the "Encryption key" drop-down list.
  3. Attach the following resource policy to the secret:
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Secure Agent account>:role/<application_role>"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

Step 2. Set up the account that hosts the Secure Agent.

To set up the account that hosts the Secure Agent, attach an identity policy to the role that the agent uses, and then verify that the account that hosts the agent can fetch the KMS key from the account that hosts the secrets.
Attach the following identity policy to the the role that the agent uses to access secrets:
{
  "Version" : "2012-10-17",
  "Statement" : [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "<secret ARN of secrets account>"
    },
    {
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "<KMS key ARN of secrets account>"
    }
  ]
}
To verify that the account that hosts the agent can retrieve the KMS key, run the following command from the EC2 instance in the account that hosts the agent:
aws secretsmanager get-secret-value --secret-id '<secret ARN>'
For more information about configuring cross-account access, see "Access AWS Secrets Manager secrets from a different account" in the AWS documentation.
0 COMMENTS
We’d like to hear from you!