Skip to main content

Configure access to Amazon Secrets Manager

This page provides instructions for configuring access to an individual secret in the Amazon Secrets Manager for your Anyscale workloads.

Anyscale recommends configuring access to Amazon Secrets Manager for all Anyscale clouds on AWS. Anyscale recommends that you have dedicated secrets for each cloud deployment in your organization.

All configuration occurs in the AWS account tied to your Anyscale cloud. You must have sufficient permissions in your AWS cloud to view resources and modify IAM roles. Contact your AWS account administrator if you don't have adequate permissions.

Step 1: Locate the ARN for your secret

Using the AWS console, log in to your account and locate the Amazon Resource Name (ARN) for your secret. The ARN has the following format, where <secret-name> is the name of the secret and <random-chars> is a string of six random characters generated by Secrets Manager:

arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:<secret-name>-<random-chars>

Step 2: Determine the IAM role your cluster uses

You configure the default IAM role for all clusters in a cloud during cloud deployment. See 3. Create an Anyscale Cloud.

The IAM role you use depends on the following:

  • Anyscale configures a default cloud-specific IAM role if you use the easy cloud deployment flow.
  • If you deployed your cloud by registering your own resources, you configured a custom IAM role.
  • Anyscale cloud owners can configure additional IAM mapping. See Anyscale Cloud IAM mapping (Developer Preview).

Step 3: Grant the IAM role access to the secret

The IAM role associated with Anyscale must have the appropriate IAM policy to read your secret. To grant access, complete the following:

  1. In the AWS console, go to the IAM > Roles console.
  2. Search for your cluster's role, and select it.
  3. Add an inline policy to the role, which grants read access to the secret.

    1. In the Permissions tab, select Add permission and then Create inline policy.

    2. Select the JSON tab.

    3. Add the following statement to your IAM role, replacing <secret-arn> with the ARN of your secrets manager.

      {
      "Statement": [
         {
         "Action": ["secretsmanager:GetSecretValue"],
         "Effect": "Allow",
         "Resource": ["<secret-arn>"],
         "Sid": "SecretsManagerGetSecretValue"
         }
      ]
      }
important

AWS IAM policies require a two-way trust relationship. You might need to modify the resource-based policy for your Secrets Manager to grant read permission to the IAM role used by Anyscale. See the following pages for more details:

See Use secrets on Anyscale.