I've read a lot about how to use SecretsManager and AWS Credentials properly to access my secrets via an attached instance role and a profile in /.aws/credentials containing my AWS credentials. But now I'm stuck at how I do all of this on the startup of a new instance using a launch template. I want to do everything on the startup of an instance, so I want to be able to retrieve my secrets using the IAM role that has access to SecretsManager when my instance is launching. I assumed I would do this in the "User Data" area. However to get the /.aws/credentials file I need to manually insert that data in CLI when it prompts me using the command "aws configure".
How would I go about doing all of this automatically? I'm by the way not certain at all that I'm doing this right as I've tried to accumulate a lot of different tutorials, AWS docs and findings on stackoverflow.
I'm trying to get the secrets from my SecretsManager in PHP and this is the functions I'm trying to use, right now met with the "cannot find ~/.aws/credentials" because my launch template isn't creating it on it's own
$client = new SecretsManagerClient([
'profile' => 'default',
'version' => '2017-10-17',
'region' => 'eu-central-1',
]);
try {
$result = $client->getSecretValue([
'SecretId' => $secret_name,
]);
} catch (AwsException $e) {
$error = $e->getAwsErrorCode();
if ($error == 'DecryptionFailureException') {
// Secrets Manager can't decrypt the protected secret text using the provided AWS KMS key.
// Handle the exception here, and/or rethrow as needed.
throw $e;
}
if ($error == 'InternalServiceErrorException') {
// An error occurred on the server side.
// Handle the exception here, and/or rethrow as needed.
throw $e;
}
if ($error == 'InvalidParameterException') {
// You provided an invalid value for a parameter.
// Handle the exception here, and/or rethrow as needed.
throw $e;
}
if ($error == 'InvalidRequestException') {
// You provided a parameter value that is not valid for the current state of the resource.
// Handle the exception here, and/or rethrow as needed.
throw $e;
}
if ($error == 'ResourceNotFoundException') {
// We can't find the resource that you asked for.
// Handle the exception here, and/or rethrow as needed.
throw $e;
}
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (isset($result['SecretString'])) {
$secret = $result['SecretString'];
} else {
$secret = base64_decode($result['SecretBinary']);
}
return json_decode($secret, true);
}
Found the answer here. Literally a much better explanation of how the AWS SDK credentials for PHP work, than the AWS SDK documentation itself.
https://stackoverflow.com/a/51525021/4080920
Basically I was using the IAM roles attached to my EC2 instance, and using the:
CredentialProvider::defaultProvider();Literally finds the credentials from the IAM role automatically as said by the original answer. This is definitely not information that is understandable with AWS own documentation, have a read for yourself and see if you get the same understanding from that.
Otherwise what the original answer states above is what's actually true.
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_provider.html