Create IAM Role for EC2 Instance: To ensure that only specific instances can access the KMS key holding the access key pair, create a new IAM role with KMS access for each EC2 instance.

Below are the steps to create a new IAM role for an EC2 instance to give access to KMS.

In case you already have an existing IAM role attached to an EC2 instance(this can be verified on the instance's detail page), you can edit that IAM role to include the KMS permission as in step 2.

Assign Roles to Multiple Instances: If you're running multiple EC2 instances with the PrimeVault's application, ensure that each instance has the appropriate IAM role with KMS access either by editing the existing roles or assigning new roles accordingly.

Go to Identity and Access Management (IAM) -> Roles -> Create Role

Assign the default KMS permission to the role and review and then create the role.

Step 3: Assign the created IAM role to the EC2 instance(s).

Assign IAM Role: Apply the newly created IAM role to each EC2 instance running the PrimeVault application.

Handling Existing IAM Roles: If you updated an existing IAM role in previous steps, no further action is required in this section. You can skip steps 1, 2 and 3 below and move to next section.

Multiple EC2 Instances: If you operate multiple EC2 instances with the PrimeVault client, ensure the new IAM role is assigned to each instance to enable proper functionality.

Setting up IAM Role for EC2 Instance

Assign the created IAM role to the EC2 instance.

Setting up API user on EC2

Setting up API user on EKS

Creating a KMS key from the UI

Setting up API user for AWS

PrimeVault

PrimeVault API Docs

Introduction