Search code examples
amazon-web-servicesterraformamazon-ecsaws-secrets-manager

Terraform and AWS IAM to update a Secret's Policy shared with multiple ECS Tasks

I am new to Terraform and am trying to setup the following. I have created a AWS Secret that I want to share across multiple AWS ECS Services.

Each of my ECS Services has its own git repo with its own Terraform files. I've been able reference the Secret's ARN in those Terraform files to populate the ECS Task Definition's Secrets properties (). This works when I manually configure Secret's policy to allow the ECS Task's Execution Role to have access to the secret.

What I'm stuck on now is: How can I configure Terraform to update the Secret's Policy with the ECS Task's Execution Role ARN?

I think I need it to append to the "Principals", however each Git Repo has no context of what the other ECS Task's are (nor should it).
Maybe I have this concept the wrong way around? (Should I be attaching a policy to the ECS Task's Execution Role that references the Secret's ARN?)

Solution

  • I was coming at this the wrong way. Rather than set the Policy on the Secret, I needed to create a new policy for the "AWS ECS Task Execution Role" that granted access to the secret (and the KMS Key).

    It's pretty clearly stated in AWS Secrets Manager documentation.

    Required IAM permissions for Amazon ECS secrets To use this feature, you must have the Amazon ECS task execution role and reference it in your task definition. This allows the container agent to pull the necessary Secrets Manager resources. For more information, see Amazon ECS task execution IAM role.
    To provide access to the Secrets Manager secrets that you create, manually add the following permissions as an inline policy to the task execution role. For more information, see Adding and Removing IAM Policies.

    • secretsmanager:GetSecretValue – Required if you're referencing a Secrets Manager secret.
    • kms:Decrypt – Required only if your secret uses a custom KMS key and not the default key. The ARN for your custom key must be added as a resource.

    The following example inline policy adds the required permissions.

    {
  "Version": "2012-10-17",   
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>",
        "arn:aws:kms:<region>:<aws_account_id>:key/<key_id>"
      ]
    }
  ]
}

    In Terraform I was able to use the variables I had already configured and added this to my "Task Definition".

    resource "aws_iam_role_policy" "task_secret_access_policy" {
  name   = "${var.name}-secret-access-policy"
  role   = var.task_execution_role.name
  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
         "secretsmanager:GetSecretValue"
        ],
        "Resource": "${var.secret_arn}"
      },
      {
        "Effect": "Allow",
        "Action": [
          "kms:Decrypt"
        ],
        "Resource": ["${var.basic_kms_key_arn}", "${var.regulated_kms_key_arn}"]
      }
    ]
  }
  EOF
}