Setting up Amazon Identity and Access Management (IAM) policies - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up Amazon Identity and Access Management (IAM) policies

After you create the secrets in Secrets Manager, you create an IAM policy that can access those secrets. For general information about using IAM, see Identity and access management for Amazon RDS.

Tip

The following procedure applies if you use the IAM console. If you use the Amazon Web Services Management Console for RDS, RDS can create the IAM policy for you automatically. In that case, you can skip the following procedure.

To create an IAM policy that accesses your Secrets Manager secrets for use with your proxy
  1. Sign in to the IAM console. Follow the Create role process, as described in Creating IAM roles, choosing Creating a role to delegate permissions to an Amazon service.

    Choose Amazon service for the Trusted entity type. Under Use case, select RDS from Use cases for other Amazon services dropdown. Select RDS - Add Role to Database.

  2. For the new role, perform the Add inline policy step. Use the same general procedures as in Editing IAM policies. Paste the following JSON into the JSON text box. Substitute your own account ID. Substitute your Amazon Region for us-east-2. Substitute the Amazon Resource Names (ARNs) for the secrets that you created, see Specifying KMS keys in IAM policy statements. For the kms:Decrypt action, substitute the ARN of the default Amazon KMS key or your own KMS key. Which one you use depends on which one you used to encrypt the Secrets Manager secrets.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_1", "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_2" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws-cn:kms:us-east-2:account_id:key/key_id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] }
  3. Edit the trust policy for this IAM role. Paste the following JSON into the JSON text box.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "rds.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

The following commands perform the same operation through the Amazon CLI.

PREFIX=my_identifier USER_ARN=$(aws sts get-caller-identity --query "Arn" --output text) aws iam create-role --role-name my_role_name \ --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["rds.amazonaws.com"]},"Action":"sts:AssumeRole"}]}' ROLE_ARN=arn:aws:iam::account_id:role/my_role_name aws iam put-role-policy --role-name my_role_name \ --policy-name $PREFIX-secret-reader-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_1", "arn:aws-cn:secretsmanager:us-east-2:account_id:secret:secret_name_2" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": "arn:aws-cn:kms:us-east-2:account_id:key/key_id", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-2.amazonaws.com" } } } ] }