Setting up Amazon Identity and Access Management (IAM) policies
After you create the secrets in Secrets Manager, you create an IAM policy that can access those secrets. For general information about using IAM, see Identity and access management for Amazon Aurora.
Tip
The following procedure applies if you use the IAM console. If you use the Amazon Web Services Management Console for RDS, RDS can create the IAM policy for you automatically. In that case, you can skip the following procedure.
To create an IAM policy that accesses your Secrets Manager secrets for use with your proxy
-
Sign in to the IAM console. Follow the Create role process, as described in Creating IAM roles, choosing Creating a role to delegate permissions to an Amazon service.
Choose Amazon service for the Trusted entity type. Under Use case, select RDS from Use cases for other Amazon services dropdown. Select RDS - Add Role to Database.
-
For the new role, perform the Add inline policy step. Use the same general procedures as in Editing IAM policies. Paste the following JSON into the JSON text box. Substitute your own account ID. Substitute your Amazon Region for
us-east-2. Substitute the Amazon Resource Names (ARNs) for the secrets that you created, see Specifying KMS keys in IAM policy statements. For thekms:Decryptaction, substitute the ARN of the default Amazon KMS key or your own KMS key. Which one you use depends on which one you used to encrypt the Secrets Manager secrets.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_1", "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_2" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws-cn:kms:us-east-2:account_id:key/key_id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] } -
Edit the trust policy for this IAM role. Paste the following JSON into the JSON text box.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
The following commands perform the same operation through the Amazon CLI.
PREFIX=my_identifierUSER_ARN=$(aws sts get-caller-identity --query "Arn" --output text) aws iam create-role --role-namemy_role_name\ --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["rds.amazonaws.com"]},"Action":"sts:AssumeRole"}]}' ROLE_ARN=arn:aws:iam::account_id:role/my_role_nameaws iam put-role-policy --role-name my_role_name \ --policy-name $PREFIX-secret-reader-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_1", "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_2" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws-cn:kms:us-east-2:account_id:key/key_id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] }