AWS Secrets Manager role-based authentication
requires you to run Groundplex nodes on Amazon Elastic Compute Cloud (Amazon EC2) and the Secrets
Manager must be in the same AWS region.
An IAM role is an identity with permission policies. AWS Secrets Manager role-based authentication
requires you to run Groundplex nodes on Amazon Elastic Compute Cloud (Amazon EC2) and the Secrets
Manager must be in the same AWS region. A role can be set up to grant access to multiple secrets.
To use role-based authentication:
- Without restricting secrets to Snap accounts in a specific SnapLogic Project Space or project,
set up your Snap accounts using an
expression that calls
secrets.read
with the alias
DEFAULT_AWS
.
- Restrict secrets use to Snap accounts in a SnapLogic Project Space or project with a
secrets-config.json node configuration file.
- In AWS Identity and Access Management (IAM), set up policies and a role.
- In AWS, navigate to the IAM service.
- Create permission policies for the EC2 instances running the Groundplex nodes and AWS Secrets Manager.
The following minimum access is required:
- EC2 instance: read and write access
- EC2 Instance Metadata Service: read access
- AWS Secrets Manager: read access to the secrets used by the EC2 instance
- Configure a role to use with the EC2 instance.
- Under , create a role.
- Assign the EC2 and AWS Secrets Manager policies to that role.
- Configure the EC2 instance that hosts your SnapLogic Groundplex.
- Associate the new role with your EC2 instance.
- Enable the Instance Metadata Service for your EC2 instance.
Note: This step is optional to restrict secrets use to Snap accounts in a project space or project.
Create a secrets-config.json file in the following format:
{
"AWS": [
{
"alias": "alias1",
"project_space": "/snaplogic/project1",
"aws_region": "us-east-1",
}{
"alias": "alias2",
"project_space": "/snaplogic/project2",
"aws_region": "us-east-1",
}
]
}
alias
: A unique name for the configuration object.
project_space
: Restricts the use of secrets to accounts in the specified
project space. Use this format: /<org>/<project_space>/[<project_name>] where the
<project_name> is optional. Example: /my_org/my_space/my_project
aws_region
: The AWS region that hosts the Secrets Manager.
-
Configure endpoint accounts to connect to AWS
Secrets Manager and to authenticate.