“ I have checked the documents of AWS to resolve the issue of retrieving secrets for cross account services. So I checked for various solutions and found out that it can be possible using IAM roles and policies. Also encrypting the secret using kms custom key. Pricing of KMS custom keys costs $1 per key.”
AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions. IAM is an AWS service that is offered at no additional charge. To learn more, read the IAM.
The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
In this post, you will get to know how to store and retrieve secrets for cross account services using kms permission policy and IAM roles. Here I have used a secret manager to store the secret credentials, a custom managed key to encrypt the secret, a rds database which the secret has been stored, and an IAM role which retrieves the secret.
You’ll need an Amazon RDS Database for this post. Getting started with RDS provides instructions on how to create a RDS. For this blog, I assume that I have a rds database.
The architecture diagram shows the overall deployment architecture with data flow, amazon RDS, aws secrets manager, aws kms, IAM role and cloudshell.
The blog post consists of the following phases:
- Store a Secret in Secrets Manager of Other Account RDS Database and Also Encrypt it Using KMS Custom Key
- Create a Role in Another Account for EC2 to Retrieve the Database Secret Stored in Main Account
I have a rds database as below →
Phase 1: Store a Secret in Secrets Manager of Other Account RDS Database and Also Encrypt it Using KMS Custom Key
- Open the secrets manager, store a secret with key value pair details. Give the secret name and store a secret. Create a custom key with symmetric key spec and other default options. Set key policy to allow other accounts access to the secret and retrieve it. Also set the resource permissions policy of secret for other accounts.
Phase 2: Create a Role in Another Account for EC2 to Retrieve the Database Secret Stored in Main Account
- Open the IAM console and create an IAM role for ec2 service. Add a custom inline policy to allow kms and secret manager access to the main account.
Delete Secret Manager, KMS Custom Key, IAM Role, RDS Database.
I review the pricing and estimated cost of this example.
Cost of RDS = $0.04
Cost of Key Management Service = $1.0
Cost of Secret Manager = 2 hours x ($0.40 per secret per month / 30 days / 24 hours + $0.05 per 10,000 API calls)
In this post, I showed “how to store and retrieve secrets for cross account services using kms permission policy and IAM roles ”.
For more details on IAM, Checkout Get started IAM, open the IAM console. To learn more, read the IAM documentation.
For more details on Key Management Service, Checkout Get started Key Management Service, open the Key Management Service Console. To learn more, read the Key Management Service Documentation.
Thanks for reading!
Connect with me: Linkedin
Top comments (0)