The AWS Secrets Manager Store provides secure and scalable secret storage by integrating directly with AWS SM. It supports dynamic secret retrieval, access via IAM roles or explicit credentials, and is commonly used to fetch credentials for Redis, databases, or other external services. Best suited for cloud-native AWS deployments.
Prerequisites for AWS SM
To integrate with AWS SM, set access permissions that allow the PlainID Secrets Management Service to connect, authenticate, and fetch secrets.
The best practice is to set up an AWS role with the necessary permissions policy and attach it to the Kubernetes cluster that runs the PlainID Secrets Management Service.
Set AWS Role - The role assigned to the PAA's Secrets Management Service must grant permission to read the Secret containing the relevant passwords. The following resources and actions must be allowed in the AWS Policy:
- Action:
secretsmanager:BatchGetSecretValue
Resource:* - Action:
secretsmanager:GetSecretValue
Resource: The secret's ARN containing a relevant password, such as a Redis password used for Redis authentication.
Note: the secretsmanager:BatchGetSecretValue permission must be granted on the * resource; It cannot be granted on specific Secret ARNs. See the BatchGetSecretValue row in this table for more
information.
Granting the above permission does not allow reading all Secrets. Each Secret returned by the BatchGetSecretValue API must be explicitly allowed by the secretsmanager:GetSecretValue permission. Therefore, the latter must be granted only on the specific ARN of the relevant secrets required by the PlainID integration (Redis, Data Sources, etc.).
Check out an AWS example policy that explains the above principle here.
Example JSON for an AWS Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "fetchSpecificSecret",
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue"],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:redis-rotated-pw"
},
{
"Sid": "batchFetchSecrets",
"Effect": "Allow",
"Action": ["secretsmanager:BatchGetSecretValue"],
"Resource": ["*"]
}
]
}
AWS SM Secret Store-specific Parameters
Use the following parameters in your configuration:
| Parameter | Description |
|---|---|
| type | Set the type of the secret store to AWS Secrets Manager: AWSSecretsManager. |
| details.auth | Set the authentication for AWS Secrets Manager using the parameters below (see more details below). The auth configuration keys are optional. If you are using an AWS Role attached to the K8s pod running the Secrets Management Service this will not be needed. |
| details.auth.region | Set the relevant AWS region. You can use an Environment Variable: ${AWS_AUTH_REGION}. |
| details.auth.accessKeyId | Set the access key ID. You can use an Environment Variable: ${AWS_AUTH_ACCESS_KEY_ID}. |
| details.auth.secretAccessKey | Set the access key Secret. You can use an Environment Variable: ${AWS_AUTH_SECRET_ACCESS_KEY}. |
| serviceAccount.annotations.eks.amazonaws.com/role-arn | Set the AWS role defined for the PlainID Secret Management Service. This replaces the need for auth configuration. |
Example
The following example is based on the general store and store-specific parameters.
secretsMgmt:
...
plainIDConfig:
...
# Secret Store configuration
secretStore:
- id: AWS_SM_STORE
type: AWSSecretsManager
isDefault: false
details:
auth:
region: ${AWS_AUTH_REGION}
accessKeyId: ${AWS_AUTH_ACCESS_KEY_ID}
secretAccessKey: ${AWS_AUTH_SECRET_ACCESS_KEY}
```