Assume you have created an AWS Secrets Manager called S1 and an AWS Elastic Beanstalk called A1. What you now need to do is to
- Create an IAM Policy called P1 that enables access to S1.
- Attach policy P1 to the role aws-elasticbeanstalk-service-role.
- Attach policy P1 to the role aws-elasticbeanstalk-ec2-role.
Once this is done, restart your application A1 and it will now have access the S1 secret and its keys and their values.
Since Incident Response needs to store its data in AWS SimpleDB, I extended the S1 policy to include all access to any AWS SimpleDB domain, but this did not work. I had to restrict access to a specific domain's ARN. What bothers me about this is that I have now specified the specific domain in both P1 and as a secret S1 key "aws.simpledb.domain" value. Perhaps there is a way I can read the domain from the policy; an exploration for another day.