Hi, I'm Ask INFA!
What would you like to know?
ASK INFAPreview
Please to access Ask INFA.
Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Administrator
  • All Products

Table of Contents

Search

  1. Preface
  2. Introducing Administrator
  3. Organizations
  4. Metering
  5. General and security settings
  6. Permissions
  7. Schedules
  8. Bundle management
  9. Event monitoring
  10. Troubleshooting security
  11. Licenses

Organization Administration

Organization Administration

Back Next

IAM role configuration for AWS Secrets Manager

IAM role configuration for AWS Secrets Manager

If you access AWS Secrets Manager using role-based authentication, you need to ensure that the IAM role that the Secure Agent uses to access secrets has the appropriate policies and permissions. You must also attach the role to your EC2 instance.
To configure the IAM role, first define a policy with the appropriate permissions, assign the policy to the role, and then update the role trust policy.

Step 1. Create an IAM policy and assign appropriate permissions.

Configure the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
        }
    ]
}
The policy must be able to list and read secrets from Secrets Manager. The following image shows the minimum policies required:
The image shows the AWS policy details page for a policy named "SecretManagerReadOnly." On the Permissions tab, under "Permissions defined in this policy," the access level "Limited: List, Read" is granted to the Secrets Manager service for all resources.

Step 2. Assign the policy to the IAM role.

Assign the policy you created to the role that the Secure Agent uses to access secrets, as shown in the following image:
The image shows the AWS role details page. On the Permissions tab under "Permissions policies," the SecretManagerReadOnly customer-managed policy is assigned.

Step 3. Update the IAM role trust policy.

After you assign the policy, update the IAM role trust policy to define which AWS resources can access the role. To do this, either allow any EC2 VM instance to access the role or allow the EC2 instance’s role to assume the role that has permission to read secrets.
If the IAM role is the same role as the EC2 instance’s role, you can have the role assume itself.
To allow any EC2 VM instance to access the role, configure the following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
To allow the EC2 instance’s role to assume the role that has permission to read secrets, configure the following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account ID>:role/<EC2 instance’s role>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
The following image shows the trust policy:
The image shows the AWS role details page. On the "Trust relationships" tab under "Trusted entities," the JSON code block specifies which entities can assume the role.
For more information about assigning polices to IAM roles and attaching IAM roles to EC2 instances, see the AWS documentation.
0 COMMENTS
We’d like to hear from you!