Configure role-based authentication


An IAM role is an identity with permission policies. AWS Secrets Manager role-based authentication requires you to run Groundplex nodes on Amazon Elastic Compute Cloud (Amazon EC2). To use role-based authentication:
  • Without restricting secrets use to Snap accounts in a SnapLogic project, set up your Snap accounts using an expression that calls with the alias DEFAULT_AWS.
  • Restrict secrets use to Snap accounts in a SnapLogic project with a secrets-config.json node configuration file.
  1. In AWS Identity and Access Management (IAM), set up policies and a role.
    1. In AWS, navigate to the IAM service.
    2. Create permission policies for the EC2 instances running the Groundplex nodes and AWS Secrets Manager.
      The following minimum access is required:
      • EC2 instance: read and write access
      • EC2 Instance Metadata Service: read access
      • AWS Secrets Manager: read access to the secrets used by the EC2 instance
    3. Configure a role to use with the EC2 instance.
      1. Under Access management > Roles, create a role.
      2. Assign the EC2 and AWS Secrets Manager policies to that role.
  2. Configure the EC2 instance that hosts your SnapLogic Groundplex.
    1. Associate the new role with your EC2 instance.
    2. Enable the Instance Metadata Service for your EC2 instance.
  3. Note: This step is optional to restrict secrets use to Snap accounts in a project space or project.
    Create a secrets-config.json file in the following format:
                "AWS": [
                    "alias": "alias1",
                    "project_space": "/snaplogic/project1",
                    "aws_region": "us-east-1",
                    "alias": "alias2",
                    "project_space": "/snaplogic/project2",
                    "aws_region": "us-east-1",
    • alias: A unique name for the configuration object.
    • project_space: Restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>/[<project_name>] where the <project_name> is optional. Example: /my_org/my_space/my_project
    • aws_region: The AWS region that hosts the Secrets Manager.
  4. Configure dynamic SnapLogic accounts to connect to AWS Secrets Manager and to authenticate.