Configure a Role to Assume on Behalf of a User¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
Use the information in this topic to integrate your Alation instance with AWS Secrets Manager using by configuring a role to assume on behalf of an IAM user.
Step 3: Establish an IAM User Account to Access Secrets Manager
Step 4: Define a Trust Relationship on the IAM Role to be Assumed
Note
To see other options for integrating with AWS Secrets Manager, see Integration with AWS Secrets Manager for Data Source Authentication Using OCF Connector.
Step 1: Create a Security Policy to Access Secrets Manager¶
This step is performed in the AWS IAM console
For the AWS Secrets Manager integration, you’ll need an AWS IAM policy granting access to AWS Secrets Manager. Here and below, a substitute name read_secrets_policy
is used to refer to this policy.
If you haven’t established a read_secrets_policy
yet, create one:
Log in to the AWS IAM management console.
From the left-hand menu, under Access management, select Policies.
Click Create policy. The policy editor will open.
Under Select a service, type secrets in the search bar and select Secrets Manager. This will display actions relevant to the service.
Under Actions allowed, expand the Read list and select the checkbox for the action GetSecretValue.
Under Resources, select All.
Note
You can restrict the permissions by providing access to specific resources only:
Instead of All, select Specific.
Click Add ARNs to specify the resources by entering the resource’s region, ARN (Amazon Resource Name), and secret.
You can adjust the resource permissions anytime by editing this policy.
Click Next. The Review and create screen will open.
Under Policy details, in the Policy name field, provide a meaningful name.
Review the details, and click Create policy to create the policy. It will be added to the list of policies under your AWS account. Your policy JSON will look similar to the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }
Step 2: Create an AWS IAM Role for the User to Assume¶
This step is performed in the AWS IAM console
Now that you’ve created an IAM policy for accessing AWS Secrets Manager, you need to create an AWS IAM role and attach the policy to it. Here and below, a substitute name read_secrets_role
is used to refer to this role.
If you haven’t established a read_secrets_role
yet, create one:
From the left-hand menu, under Access management, select Roles.
Click Create role. The role editor will open.
Leave AWS service as the Trusted entity type (default) and select EC2 as the Use case.
Click Next. The Add permissions screen will open.
Under Permissions policies, search for the policy you created to allow reading secrets from Secrets Manager. When found, select the checkbox of this policy in the policies table.
Click Next. The Name, review, and create screen will open.
In the Role name field, provide a meaningful name. We’ll use
read_secrets_role
as example.In the Description field, provide a description.
Review the role information and click Create role to create the role. It will be added to the list of roles under your AWS account. This role will be assumed by the instance profile to access Secrets Manager from Alation.
Open the properties of the
read_secrets_role
. Under Summary, locate its ARN. Save the ARN for future reference.
Step 3: Establish an IAM User Account to Access Secrets Manager¶
This step is performed in the AWS IAM console
You’ll need:
The ARN of the
read_secrets_role
(Step 2: Create an AWS IAM Role for the User to Assume)
To establish an IAM user to access secrets manager:
In the AWS user interface, open the IAM console (IAM dashboard).
In the left menu, under Access Management, select Users.
Select the user for whom you want to create access keys, or create a dedicated user for Alation.
Ensure that the IAM user has permission to assume roles. It should have a permission policy that includes lines such as the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
The Resource field must be populated with the Amazon Resource Number (ARN) of the desired role or a wildcard such as
*
which provides the ability to assume any role. For detailed steps on creating users, refer to Creating an IAM user in your AWS account in AWS documentation.For example, the following screenshot shows a user with the permission policy
AssumeAllRoles
with the code shown above that allows it to performAssumeRole
on any role.Open the Security credentials tab of the user’s page and locate the Access keys section. Click Create access key in this section.
Create an access key ID and a secret access key. See Managing access keys for IAM users - AWS Identity and Access Management for more details.
Save the user’s access key, secret access key, and ARN for future reference.
Step 4: Define a Trust Relationship on the IAM Role to be Assumed¶
This step is performed in the AWS IAM console
You’ll need:
The ARN of the IAM user (Step 3: Establish an IAM User Account to Access Secrets Manager)
Define a trust relationship between the read_secrets_role
and the user through adding a trust relationship:
In the IAM console, open the properties of the
read_secrets_role
.Click Trust Relationships and then click Edit trust policy.
Click the Add button beside Add a principal.
Click the Principal type dropdown and select IAM users.
Enter the ARN of the IAM user in the ARN field, and then click Add principal:
Click the Add button beside Add a condition.
In the dialog that appears, click the dropdown button under Condition key and type externalId in the search box that appears.
Select the result sts::ExternalId.
Click the dropdown button under Operator and select StringEquals from the choices offered.
Under Value, enter a unique ID. AWS suggests using one external ID per AWS account, with a randomly generated external ID.
Click Add condition.
Click Update policy. You will see a confirmation that the trust policy has been successfully updated.
Save the value of the Maximum session length of the
read_secrets_role
located on the role properties page under the ARN. You will need it in the steps that follow. If you want to adjust this value before using the role in Alation, refer to Modifying a role maximum session duration (console) in AWS documentation.
Step 5: Create an Authentication Profile¶
This step is performed in Alation
You’ll need:
The access key and secret access key of the IAM user (Step 3: Establish an IAM User Account to Access Secrets Manager)
The ARN of the
read_secrets_role
(Step 2: Create an AWS IAM Role for the User to Assume)The external ID you’ve specified as a condition on the
read_secrets_role
(Step 4: Define a Trust Relationship on the IAM Role to be Assumed)The Maximum session length value of the
read_secrets_role
. You can find this value on the role properties page, in the Summary section under the ARN.
To create an authentication profile:
Log in to your Alation instance as a Server Admin.
Click the Admin Settings gear icon on top right to open the Admin Settings page.
Click Authentication to open the Authentication tab. Locate the section Authentication Configuration Methods for External Systems.
In 2024.1.4 and later, for Alation Cloud Service instances on the cloud-native architecture, find the See configurations for drop-down menu and ensure that Alation Cloud Service is selected.
Click Add Configuration, and then select AWS Secrets Manager as the method type. If you’re creating a configuration for an Alation Agent, the only option is AWS Secrets Manager. The Authentication Configuration Method page will open in a new browser tab.
In Config Name, enter a unique name for the configuration. Save it for future reference when configuring the data source.
Under Region, select the appropriate AWS region for the Secrets Manager service (the region under which your secrets are stored).
Under Authentication Type, select IAM Role (or the option iam_role on versions older than 2024.1.1). A number of fields will appear.
Under AWS Access Key, enter the AWS access key of the IAM user.
Under AWS Secret Key, enter the AWS secret access key associated with the IAM user’s access key.
Under Role ARN, enter the ARN of the
read_secrets_role
.Under External ID, enter the External ID you specified as a condition for the
read_secrets_role
.Under STS Duration, enter a value in seconds greater than
900
and less than the maximum session duration specified for yourread_secrets_role
.Click Save. Alation attempts to create a connection, and if the connection is successful, the configuration is saved.
Now, you can use your integration with an OCF connector. See next: Configure Authentication with AWS Secrets Manager in Data Source Settings.