2
votes

Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.

I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance. I created an aws instance and attached the IAM role to it and executed the following steps: - aws secretsmanager list-secrets An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.

I get an error. I am able to retrieve the security credentials using the metadata of the instance. - Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way. - When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.

Any suggestions/pointers would be highly appreciated. Thanks!

2

2 Answers

1
votes

Here is How I would troubleshoot.

  1. check whether the instance is aware of the IAM role attached to that.

    aws sts get-caller-identity
    
  2. try passing the region to the command

    aws secretsmanager list-secrets --region us-east-2
    
  3. I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.

Hope this help you get somewhere.

0
votes

Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.

See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")