amazon-web-servicesamazon-ec2amazon-iamaws-secrets-manager

Unable to retrieve secret from secretsmanager on aws-ec2 using an IAM role


Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.

I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance. I created an aws instance and attached the IAM role to it and executed the following steps: - aws secretsmanager list-secrets An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.

I get an error. I am able to retrieve the security credentials using the metadata of the instance. - Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way. - When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.

Any suggestions/pointers would be highly appreciated. Thanks!


Solution

  • Here is How I would troubleshoot.

    1. check whether the instance is aware of the IAM role attached to that.

      aws sts get-caller-identity
      
    2. try passing the region to the command

      aws secretsmanager list-secrets --region us-east-2
      
    3. I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.

    Hope this help you get somewhere.