![]() ![]() Then click Create Policy, it will open in separate web browser tab. EC2 instance will not be able to read secret unless you will add read permissions to the instance role. We already have secret safely stored within AWS Secret Manager. List of stored secrets Create EC2 Instance Role with Secret Read Access policy You will be taken to screen showing all secrets, in my case it is just the one created now. It’s not necessary for this scenario, therefore leave default and click Next. Now you can configure automatic rotation. Secret Manager -> Store a new secret Then choose type Other type of secrets and specify key/value for new secret.Ĭlick Next, then specify name for secret and click Next again. ![]() ![]() Start with creating a secret which we will later on for EC2 instance at launch. Create EC2 instance and retrieve secret value at launch.Create EC2 Instance Role with Secret Read Access policy.The problem can be solved with AWS Secret Manager and AWS CLI command to retrieve secret. Since user data script can be retrieved from launched EC2 and the result of the script is stored in logs, it’s against security best practices to put password as plain text in the script. The only problem I have encountered was with one of the systemd service, which requires a password to be started. User data script is run as root, gives you pretty much all permissions you need. User data script is great way to make any necessary changes in the system at EC2 launch. Recently, I had a task to automate startup of custom systemd services when new EC2 is launched. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |