I have a Lightsail instance with a very small Python script for testing. The script looks like:
import boto3
import json
region_name = "us-east-1"
secret_name = "arn:aws:secretsmanager:us-east-1:XXXXXX:XXXX"
client = boto3.client(service_name='secretsmanager',region_name=region_name)
response = client.get_secret_value(SecretId=secret_name)
secrets1 = json.loads(response['SecretString'])
print(secrets1['Password'])
When I run the above code, I get the following error:
An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::XXXXXXXX:assumed-role/AmazonLightsailInstanceRole/XXXXXXX is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:XXXXXXXX:secret:XXXXXX because no resource-based policy allows the secretsmanager:GetSecretValue action
I have tried:
- creating a Lightsail role in IAM with "SecretsManagerReadWrite" policy attached. One problem with this approach is that I didn't see a Lightsail option when selecting an AWS Service, so I selected ec2.
- running the code as root user
- creating another IAM user with proper permissions (full access to Lightsail and SecretsManagerReadWrite)
- scouring several forums looking for answers. I find some cases that are similar to mine, but haven't found a solution I can use fully (although I have used bits and pieces with no luck).
None of the above worked (although I can't guarantee I put all the pieces together correctly).
So my question is: How can I access a secret in my Secrets Manager service and use it in my Python code in Lightsail?
This is all done within a single AWS account. I am very new to the AWS framework and am admittedly confused by the IAM roles and users and how I provision permission for a Lightsail instance to access Secrets Manager.
Thanks for any help.
You'll need to run
aws configure
and provide your credentials manually on the instance to make CLI calls. Lightsail resources are managed separately from other AWS resources and as a result have different credentials by default.