SecretsManager Configuration on EC2

Objective

If you are configuring the VoiceWorx platform on the AWS environment (EC2 instance), this document will help you to configure Secrets Manager in your AWS account.

Introduction

The VoiceWorx application needs to use certain confidential information like credentials which are by default stored into web.config file, however Voiceworx gives an option to store them at a more secure place like AWS secrets manager and this document guides you to configure it.

This should be done before the VoiceWorx application is installed on the EC2 instance.

Pre-requisites

AWS Account with administrative access.
Remote access to the EC2 Instance (Microsoft Windows)

Steps

Create and assign IAM Role for the EC2 instance

The voiceworx application uses certain AWS resources and as a best practice, instead of using credentials, it’s recommended to assign required permission to the EC2 instance via an IAM role.

Create a policy with required permissions

Login to the AWS console and navigate to the Identity and Access Management (IAM) and choose Policies – as shown in the below screenshot.

Once clicked, you will be on the Policies dashboard and should see an option/button to Create Policy – as shown in the below screenshot. Click on it.

Now, you are on create policy interface. There should be two options, Visual Editor and JSON. Click on JSON and you should see an interface as shown below.

In the JSON editor, copy and paste the following code.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*"

{

"Action": "elasticache:*",

"Effect": "Allow",

"Resource": "*"

{

"Action": "iam:CreateServiceLinkedRole",

"Effect": "Allow",

"Resource": "arn:aws:iam::*:role/aws-service-role/elasticache.amazonaws.com/AWSServiceRoleForElastiCache",

"Condition": {

"StringLike": {

"iam:AWSServiceName": "elasticache.amazonaws.com"

}

{

"Action": [

"secretsmanager:*",

"kms:*",

"lambda:ListFunctions",

"rds:DescribeDBClusters",

"rds:DescribeDBInstances",

"redshift:DescribeClusters",

"tag:GetResources"

"Effect": "Allow",

"Resource": "*"

{

"Action": [

"lambda:*"

"Effect": "Allow",

"Resource": "arn:aws:lambda:*:*:function:SecretsManager*"

{

"Action": [

"serverlessrepo:CreateCloudFormationChangeSet",

"serverlessrepo:GetApplication"

"Effect": "Allow",

"Resource": "arn:aws:serverlessrepo:*:*:applications/SecretsManager*"

}

]

}

Once entered, click on the Next button.

Click on next until you see a Review policy screen as shown below.

Enter the name and optional Description and click on Create Policy button and policy is ready to use.

Note that in this policy, we are giving permissions to the S3, ElastiCache and Secrets Manager. If you notice any additional service like Lambda, then it’s selected as it’s a dependant service and permission is required.

Create a Role

To create a role, navigate to the Identity and access Management (IAM) > Roles.

Click on the create role button.

As shown in the below screenshot,

Select type of trusted entity = AWS Service.

Choose a use case = EC2.

And then click on Next button

Once you click on next, you need to select a policy.

Search for the policy that you have already created in the previous step and select it.

click on next till you get review screen.

Enter the name and optional description and click on the Create role button and Role should get created.

Assign a Role to the EC2 instance

Go to the EC2 dashboard, select the EC2 instance that is going to run VoiceWorx platform and click on Actions menu > Security > Modify IAM Role as shown in the below screenshot.

Select the role that we have created in the previous step and click on the Save button

Click on save and the role should be assigned to the selected EC2 instance.