How to get all secrets from a different AWS accounts secret manager with Boto3?

Question

I have several EC2 instances on one account. These ec2 instances need to get a all the secrets from the Secrets Manger from another account.

I gather from the boto3 documentary, I can only get the secrets of the account a session is associated with: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html

Does that mean I would need to create an IAM user for these EC2 users on this other account in order to get the secrets stored on this account? Or is there another, cleaner way to do it?

Answer 1

"Cleaner" might come down to preference, but I would do it this way:

1. Create an IAM role in the destination account that has the necessary secrets manager permissions attached and then grant access to the source account.

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

2. Assume that role using the boto3 client on your source account EC2s (make sure the existing role has STS assume role permissions).

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html

Hope that helps!