AWS Secrets Manager

Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.

Prerequisites:

Set up and add envars to Infisical Cloud

Self-Hosted Users

To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.

If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.

The following steps are for instances not deployed on AWS

Create an IAM User

Navigate to Create IAM User in your AWS Console.

Create an Inline Policy

Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeAnyRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/*"
    }
  ]
}

Obtain the IAM User Credentials

Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.

Set Up Integration Keys

Set the access key as CLIENT_ID_AWS_INTEGRATION.
Set the secret key as CLIENT_SECRET_AWS_INTEGRATION.

Create the Managing User IAM Role for AWS Secrets Manager

Navigate to the Create IAM Role page in your AWS Console.
Select AWS Account as the Trusted Entity Type.
Choose Another AWS Account and enter 381492033652 (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
Optionally, enable Require external ID and enter your project ID to further enhance security.

Add Required Permissions for the IAM Role

Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSecretsManagerAccess",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource",
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

Copy the AWS IAM Role ARN

Authorize Infisical for AWS Secrets Manager

Navigate to your project’s integrations tab in Infisical.
Click on the AWS Secrets Manager tile.
Select the AWS Assume Role option.
Provide the AWS IAM Role ARN obtained from the previous step.

Start integration

Select how you want to integration to work by specifying a number of parameters:

Project Environment

string

required

The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.

Secrets Path

string

required

The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.

AWS Region

string

required

The region that you want to integrate with in AWS Secrets Manager.

Mapping Behavior

string

required

How you want the integration to map the secrets. The selected value could be either one to one or one to many.

AWS SM Secret Name

string

required

The secret name/path in AWS into which you want to sync the secrets from Infisical.

Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:

Tag Sync Mode

string

The sync mode for AWS tags. The supported options are Secret Metadata and Custom. If Secret Metadata is selected, the metadata of the Infisical secrets are used as tags in AWS. If custom is selected, then the key/value of the Secret Tag field is used. Secret Metadata mode is only supported for one-to-one integrations.

Secret Tag

string

The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.

Encryption Key

string

The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.

Then, press Create Integration to start syncing secrets to AWS Secrets Manager.

Infisical currently syncs environment variables to AWS Secrets Manager as key-value pairs under one secret. We’re actively exploring ways to help users group environment variable key-pairs under multiple secrets for greater control.

Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.

Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.

Prerequisites:

Set up and add envars to Infisical Cloud

Self-Hosted Users

To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.

If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.

The following steps are for instances not deployed on AWS

Create an IAM User

Navigate to Create IAM User in your AWS Console.

Create an Inline Policy

Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeAnyRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/*"
    }
  ]
}

Obtain the IAM User Credentials

Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.

Set Up Integration Keys

Set the access key as CLIENT_ID_AWS_INTEGRATION.
Set the secret key as CLIENT_SECRET_AWS_INTEGRATION.

Create the Managing User IAM Role for AWS Secrets Manager

Navigate to the Create IAM Role page in your AWS Console.
Select AWS Account as the Trusted Entity Type.
Choose Another AWS Account and enter 381492033652 (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
Optionally, enable Require external ID and enter your project ID to further enhance security.

Add Required Permissions for the IAM Role

Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSecretsManagerAccess",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource",
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

Copy the AWS IAM Role ARN

Authorize Infisical for AWS Secrets Manager

Navigate to your project’s integrations tab in Infisical.
Click on the AWS Secrets Manager tile.
Select the AWS Assume Role option.
Provide the AWS IAM Role ARN obtained from the previous step.

Start integration

Select how you want to integration to work by specifying a number of parameters:

Project Environment

string

required

The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.

Secrets Path

string

required

The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.

AWS Region

string

required

The region that you want to integrate with in AWS Secrets Manager.

Mapping Behavior

string

required

How you want the integration to map the secrets. The selected value could be either one to one or one to many.

AWS SM Secret Name

string

required

The secret name/path in AWS into which you want to sync the secrets from Infisical.

Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:

Tag Sync Mode

string

Secret Tag

string

The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.

Encryption Key

string

The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.

Then, press Create Integration to start syncing secrets to AWS Secrets Manager.

Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.

Infisical will access your account using the provided AWS access key and secret key.

Prerequisites:

Set up and add envars to Infisical Cloud
Set up AWS and have/create an IAM user

Grant the IAM user permissions to access AWS Secrets Manager

Navigate to your IAM user permissions and add a permission policy to grant access to AWS Secrets Manager.

For better security, here’s a custom policy containing the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager for the IAM user that you can use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSecretsManagerAccess",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:DescribeSecret", // if you need to add tags to secrets
        "secretsmanager:TagResource", // if you need to add tags to secrets
        "secretsmanager:UntagResource", // if you need to add tags to secrets
        "kms:ListKeys", // if you need to specify the KMS key
        "kms:ListAliases", // if you need to specify the KMS key
        "kms:Encrypt", // if you need to specify the KMS key
        "kms:Decrypt" // if you need to specify the KMS key
      ],
      "Resource": "*"
    }
  ]
}

Authorize Infisical for AWS Secrets Manager

Obtain a AWS access key ID and secret access key for your IAM user in IAM > Users > User > Security credentials > Access keys

Navigate to your project’s integrations tab in Infisical.
Click on the AWS Secrets Manager tile.
Select the Access Key option for Authentication Mode.
Provide the access key and secret key for the AWS Iam User.

Start integration

Select how you want to integration to work by specifying a number of parameters:

Project Environment

string

required

The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.

Secrets Path

string

required

The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.

AWS Region

string

required

The region that you want to integrate with in AWS Secrets Manager.

Mapping Behavior

string

required

How you want the integration to map the secrets. The selected value could be either one to one or one to many.

AWS SM Secret Name

string

required

The secret name/path in AWS into which you want to sync the secrets from Infisical.

Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:

Secret Tag

string

The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.

Encryption Key

string

The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.

Then, press Create Integration to start syncing secrets to AWS Secrets Manager.

Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

AWS Secrets Manager