AWS Secrets Manager Integration

AWS Secrets Manager is a managed service from Amazon Web Services (AWS) that helps securely store, manage, and retrieve secrets. Secret manager supports remote access to their vaults, which we use for this integration.

See External Secrets for more on the general topic of Secret Server and external vaults.

Creating a Credential Secret

Step One: In AWS, Create a User and Access Keys

  1. Go To IAM Dashboard.
  2. Click Users in the left menu under Access management. The Users page appears.
  1. Click the Create User button. The Specify User Details page of the Create User wizard appears.
  2. Type the user name in the User Name text box.
  3. Click the Next button. The Set Permissions page appears.
  4. Next, you create a new group for the user or add the user to an existing one. Click the desired existing group or click the Create Group button to create one. To create a new group, see Creating an AWS Group in IAM Dashboard.
  5. Returning to the Set Permissions page, click to select the check box next to the group you want to add the user to.
  6. Click the Next button. The Review and Create page appears.
  7. Ensure the user details are correct.
  8. Click the Create User button. The new user appears in the table.
  9. Click on the new user name in the table. That user's details page appears.
  10. In the Summary section, on the right, click the Create Access Key link. The Create Access Key page appears.
  11. Click to select the Use Case Third-Party Service selection button.
  12. Click the Next button. The Set Description Tag - Optional page appears.
  13. Type Secret Server External Vault Integration in the Description Tag Value text box.
  14. Click the Create Access Key button. The new key is created, and the Retrieve Access Keys page appears. You will see an access key and secret access key. These, along with the username will be needed in Secret Server. Record the values.

Step Two: In Secret Server, Create a Secret

  1. Go to the All Secrets page.
  2. Click the Create Secret button. The Create New Secret page appears.
  3. Click the Choose a Secret Template list and select Amazon IAM Key.
  4. Click the Create Secret button. The Create New Secrets (details) page appears.
  5. Fill in the text boxes with asterisks for the username, access key, and secret access key using the recorded values from the last step.
  6. Type any name you wish in the Secret Name text box.
  7. Once again, click the Create Secret button. The new secret appears in the All Secrets list.
  1. Return to the secrets menu and click External Secrets. A page of the same name appears.
  2. Click to select the Enabled check box if you want to push changes to the vault. Leave it unchecked if you do not want to push changes to it.
  3. Click the Create button. The Create External Vault Link page appears.
  4. Select AWS Secret Manager in the Type dropdown list.
  5. Click the link for the secret you created.
  6. If you are using the automatic list feature for external vaults:
    1. You are automatically presented all available vaults for your AWS subscriptions, and Input type is set to Automatic List. Once the AWS key vault account connects, a green Connected indicator appears at the top of the page.
    2. Click to select the check boxes for the desired vaults.
  7. If you are not using the automatic list feature:
    1. Set Input Type to Manual Entry.
    2. Type the name of the AWS key vault you want to connect with in the Name text box. The name must exactly match the name of the key vault.
  8. Type your name for the external vault in the Display Name text box.
  9. Once you have the correct region, click the Save button.

Creating an AWS Group in IAM Dashboard

  1. Return to IAM Dashboard.
  2. Click User Groups in the Access Management group in the menu on the left. The User Groups page appears.
  3. Click the Create Group button. The Name the Group page appears.
  4. Type a name in the User Group Name text box.
  5. Add the credential secret if needed.
  6. Add needed permission policies. The included, default SecretsManagerReadWrite policy in the Attach Permissions Policies table should suffice. If not, add other policies via the search text box in the same section. See Creating Custom AWS Policies for details.
  7. Click the Create User Group Button.

Creating Custom AWS Policies

  1. Go To IAM Dashboard.

  2. Click Policies in the left menu under Access management. The Policies page appears.

  3. Click Create Policy. Specify Permissions appears.

  4. Click the Filter by Type dropdown list and select Secrets Manager. The Secrets Manager section appears.

  5. Select Actions Allowed to view that section. The Access Levels appear.

  6. In the List section, click to select the List Secrets checkbox.

  7. In the Read section, click to select:

    • DescribeSecret
    • GetSecretValue
    • ListSecretVersionIds

  8. In the Write section, click to select:

    • CreateSecret
    • PutSecretValue
    • UpdateSecretVersionStage

  9. Click the expand the Resources section.

  10. Click to select the All selection button. This allows you to manage all secrets in AWS. For a smaller subset, select Specific and scope it to what secrets you want to access.

  11. Click the Next button at the bottom. The Review and Create page appears.

  12. Complete the remaining policy details.

  13. Click the Create Policy button.