AWS SecretsManager GetSecretValue from EC2 standalone PHP program using AWS SDK results in AWS HTTP error: Client error: 400 Bad Request

Question

I have written this standalone program in PHP for EC2 Instance to read secrets from SecretsManager (EC2 Instance and Secret are in the same region). I have AWS SDK PHAR in the same folder as the program below.

<?php

 require 'aws.phar'; // Include the AWS SDK for PHP

 use Aws\SecretsManager\SecretsManagerClient;
 use Aws\Sts\StsClient;
 use Aws\Exception\AwsException;
 $client = new SecretsManagerClient([
'version' => 'latest',
'region' => 'us-west-1',
]);

$result = $client->getSecretValue([
'SecretId' => 'prod/vserver/api-keys',
]);
$secretString = $result['SecretString'];

I want the EC2 Instance to retrieve the secret without providing any explicit AWS credentials. I have created a IAM Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowReadSecrets",
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:us-west-1:ACCOUNTID:secret:prod/vserver/api-keys"
    }
  ]

}

I have created a ROLE : EC2_ACCESS_SECRETSMANAGER and attached the Policy to the Role and the IAM Role to the EC2 Instance from where I am running the PHP Program.

But I am getting error: Next Aws\SecretsManager\Exception\SecretsManagerException: Error executing "GetSecretValue" on "https://secretsmanager.us-west-1.amazonaws.com"; AWS HTTP error: Client error: POST https://secretsmanager.us-west-1.amazonaws.com resulted in a 400 Bad Request response: {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/i-08 (truncated...) AccessDeniedException (client): User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action - {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EC2_ACCESS_SECRETSMANAGER/ is not authorized to perform: secretsmanager:GetSecretValue on resource: prod/vserver/api-keys because no identity-based policy allows the secretsmanager:GetSecretValue action"} in phar:///var/www/html/aws.phar/Aws/WrappedHttpHandler.php:195

, <AWS_ACCOUNT_ID> are replaced placeholder values for posting here.

Answer 1

I had to put in the following IAM Policy and IAM Role for this to work OK (Recall that I needed this for EC2 Instance deployed web app to access AWS SecretsManager without needing to provide any AWS Access credentials)

IAM Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "iam:PassRole",
            "sts:AssumeRole",
            "secretsmanager:GetSecretValue",
            "iam:GetPolicy",
            "sts:GetCallerIdentity"
        ],
        "Resource": "*"
    }
]

}

and EC2 IAM Role with Trusted Entities as:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

}

PS: This is working albeit with much wider permissions and resources than what should be permitted. I will try to implement what @JasonQ-AWS has suggested to see if that works.

Answer 2

Try attaching the following policy to your secret. This allows the specified IAM Role to access the secret, rather than coming the other way like you've posted.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountId:role/EC2RoleToAccessSecrets"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}

Don't forget to change AccountId and EC2RoleToAccessSecrets.

Permissions and roles can be a bit tricky, so I'd suggest you read up on it more here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html