--- title: "AWS Secret Manager" slug: "aws-secret-manager" updated: 2025-10-27T14:56:17Z published: 2025-10-27T14:56:17Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # AWS Secret Manager The AWS Secrets Manager Store provides secure and scalable secret storage by integrating directly with AWS SM. It supports dynamic secret retrieval, access via IAM roles or explicit credentials, and is commonly used to fetch credentials for Redis, databases, or other external services. Best suited for cloud-native AWS deployments. #### Prerequisites for AWS SM To integrate with AWS SM, set access permissions that allow the PlainID Secrets Management Service to connect, authenticate, and fetch secrets. The best practice is to set up an AWS role with the necessary permissions policy and attach it to the Kubernetes cluster that runs the PlainID Secrets Management Service. **Set AWS Role** - The role assigned to the PAA's Secrets Management Service must grant permission to read the Secret containing the relevant passwords. The following resources and actions must be allowed in the AWS Policy: - **Action:** `secretsmanager:BatchGetSecretValue` **Resource:** `*` - **Action:** `secretsmanager:GetSecretValue` **Resource:** The secret's ARN containing a relevant password, such as a Redis password used for Redis authentication. Note: the `secretsmanager:BatchGetSecretValue` permission must be granted on the `*` resource; It cannot be granted on specific Secret ARNs. See the `BatchGetSecretValue` row in this [table](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-actions-as-permissions) for more information. Granting the above permission does not allow reading all Secrets. Each Secret returned by the `BatchGetSecretValue` API must be explicitly allowed by the `secretsmanager:GetSecretValue` permission. Therefore, the latter must be granted only on the specific ARN of the relevant secrets required by the PlainID integration (Redis, Data Sources, etc.). Check out an AWS example policy that explains the above principle [here](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html#auth-and-access_examples_batch). **Example JSON for an AWS Policy** ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "fetchSpecificSecret", "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue"], "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:redis-rotated-pw" }, { "Sid": "batchFetchSecrets", "Effect": "Allow", "Action": ["secretsmanager:BatchGetSecretValue"], "Resource": ["*"] } ] } ``` #### AWS SM Secret Store-specific Parameters Use the following parameters in your configuration: | Parameter | Description | | --- | --- | | type | Set the type of the secret store to AWS Secrets Manager: `AWSSecretsManager`. | | details.auth | Set the authentication for AWS Secrets Manager using the parameters below (**see more details below**). The auth configuration keys are optional. If you are using an AWS Role attached to the K8s pod running the Secrets Management Service this will not be needed. | | details.auth.region | Set the relevant AWS region. You can use an Environment Variable: `${AWS_AUTH_REGION}`. | | details.auth.accessKeyId | Set the access key ID. You can use an Environment Variable: `${AWS_AUTH_ACCESS_KEY_ID}`. | | details.auth.secretAccessKey | Set the access key Secret. You can use an Environment Variable: `${AWS_AUTH_SECRET_ACCESS_KEY}`. | | serviceAccount.annotations.eks.amazonaws.com/role-arn | Set the AWS role defined for the PlainID Secret Management Service. This replaces the need for auth configuration. | #### Example The following example is based on the [general store](/v1/docs/stores) and store-specific parameters. ``` secretsMgmt: ... plainIDConfig: ... # Secret Store configuration secretStore: - id: AWS_SM_STORE     type: AWSSecretsManager     isDefault: false    details:     auth:         region: ${AWS_AUTH_REGION}         accessKeyId: ${AWS_AUTH_ACCESS_KEY_ID}         secretAccessKey: ${AWS_AUTH_SECRET_ACCESS_KEY} ``` ```