Search code examples
amazon-web-servicesamazon-ec2aws-cliaws-secrets-manager

How can I get the value of a secret from within an EC2 instance?

I'm trying to configure my EC2 instance so a script can get the value of a secret, for example at boot time.

I created an EC2 instance from a CentOS AMI, and a secret in the Secrets Manager. The secret uses a key from the KMS.

Then I defined an IAM Role with the appropriate policies to decrypt the secret, and assigned the role to the EC2 instance.

From within the instance I can see the AccessKeyId and SecretAccessKey in the metadata with this command (Decrypt-Secret being the name of the role):

$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/Decrypt-Secrets/
{
  "Code" : "Success",
  "LastUpdated" : "2018-12-06T09:45:55Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AAAAAAAAAAAAAA",
  "SecretAccessKey" : "BBBBBBBBBBBBBBBBBBB",
  "Token" : "...",
  "Expiration" : "2018-12-06T16:11:24Z"
}

Then I configure the aws cli:

$ aws configure
AWS Access Key ID [None]: AAAAAAAAAAAAAA
AWS Secret Access Key [None]: BBBBBBBBBBBBBBBBBBB
Default region name [us-east-1]: us-east-1
Default output format [None]:

And try to get the secret:

$ aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:1234567890:secret:my-secret-aaaaa

An error occurred (UnrecognizedClientException) when calling the GetSecretValue operation: The security token included in the request is invalid.

My understanding of the error is that I'm not using the right KeyID and AccessKey. But I don't understand why.

I have also tried to create a IAM User that uses the same policy, and when I specify the KeyID and AccessKey of that user it works, I can get the secret. But I have to specify the ID and Key manually, and my goal is for a script to get the secret automatically.

What am I missing ?

Solution

  • When you are running the aws CLI on an EC2 instance with a IAM role already configured, you do not need set the access key or any other information (except the region).

    The CLI already knows how to automatically pick up the credentials from the EC2 metadata. What is more, the credentials in the metadata are temporary and expire in 6 hours so you do not want to store them in your config.

    Remove the creds you stored in your config and run your command again with the correct region:

    aws --region us-east-1 secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:1234567890:secret:my-secret-aaaaa