Configure role-based authentication

AWS Secrets Manager role-based authentication requires you to run Groundplex nodes on Amazon Elastic Compute Cloud (Amazon EC2) and the Secrets Manager must be in the same AWS region.

An IAM role is an identity with permission policies. AWS Secrets Manager role-based authentication requires you to run Groundplex nodes on Amazon Elastic Compute Cloud (Amazon EC2) and the Secrets Manager must be in the same AWS region. A role can be set up to grant access to multiple secrets.

To use role-based authentication:
  • Without restricting secrets to Snap accounts in a specific SnapLogic Project Space or project, set up your Snap accounts using an expression that calls secrets.read with the alias DEFAULT_AWS.
  • Restrict secrets use to Snap accounts in a SnapLogic Project Space or project with a secrets-config.json node configuration file.
  1. In AWS Identity and Access Management (IAM), set up policies and a role.
    1. In AWS, navigate to the IAM service.
    2. Create permission policies for the EC2 instances running the Groundplex nodes and AWS Secrets Manager.
      The following minimum access is required:
      • EC2 instance: read and write access
      • EC2 Instance Metadata Service: read access
      • AWS Secrets Manager: read access to the secrets used by the EC2 instance
    3. Configure a role to use with the EC2 instance.
      1. Under Access management > Roles, create a role.
      2. Assign the EC2 and AWS Secrets Manager policies to that role.
  2. Configure the EC2 instance that hosts your SnapLogic Groundplex.
    1. Associate the new role with your EC2 instance.
    2. Enable the Instance Metadata Service for your EC2 instance.
  3. Note: This step is optional to restrict secrets use to Snap accounts in a project space or project.
    Create a secrets-config.json file in the following format:
    
              {
                "AWS": [
                  {
                    "alias": "alias1",
                    "project_space": "/snaplogic/project1",
                    "aws_region": "us-east-1",
              
                  }{
                    "alias": "alias2",
                    "project_space": "/snaplogic/project2",
                    "aws_region": "us-east-1",
              
                  }
                ]
              }
              
    • alias: A unique name for the configuration object.
    • project_space: Restricts the use of secrets to accounts in the specified project space. Use this format: /<org>/<project_space>/[<project_name>] where the <project_name> is optional. Example: /my_org/my_space/my_project
    • aws_region: The AWS region that hosts the Secrets Manager.
  4. Configure endpoint accounts to connect to AWS Secrets Manager and to authenticate.