Provision AWS Secrets Manager
Prerequisites​
- Ascend Environment
- AWS Secrets Manager (or permission to create secrets)
- Ascend Project
Overview​
Ascend Environments can securely access secrets stored in AWS Secrets Manager. This guide outlines the necessary steps to configure proper access between your Ascend Environment and AWS Secrets Manager.
Create IAM Policy for AWS Secrets Manager​
Create an IAM policy that grants your Ascend Environment's IAM role permission to access secrets in AWS Secrets Manager:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:<prefix>/*"
}
]
}
Replace <prefix> with a prefix for organizing secrets by environment or instance (e.g., "ascend-prod").
Attach IAM Policy to Your IAM Role​
Attach the policy to the IAM role associated with your Ascend Environment:
aws iam attach-role-policy \
--role-name <ascend-role-name> \
--policy-arn <policy-arn>
Where:
<ascend-role-name>is the name of the IAM role associated with your Ascend Environment<policy-arn>is the ARN of the policy you created in the previous step
Configure the Vault in your Ascend Project​
Create the following YAML file in the vaults/ directory of your Ascend Project:
vault:
aws_secrets_manager:
region: us-west-2
auth:
role_arn: arn:aws:iam::123456789012:role/MyRole
Where:
<region>is your AWS region (e.g., "us-west-2")<auth>is the authentication method for accessing AWS Secrets Manager (options: "environment", "instance", "role_arn")<role_arn>is the Amazon Resource Name (ARN) of the IAM role to assume when accessing AWS Secrets Manager (required when auth is "role_arn")
You can now reference secrets from AWS Secrets Manager in your Ascend Components using the following syntax:
component:
configuration:
api_key: ${vaults.ascend_aws_vault.<secret_name>}
Replace <secret_name> with the actual name of the secret stored in AWS Secrets Manager.