HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Vault
Vault Home

AWS Secrets Manager

The AWS Secrets Manager destination enables Vault to sync and unsync secrets of your choosing into an external AWS account. When configured, Vault will actively maintain the state of each externally-synced secret in realtime. This includes sending new secrets, updating existing secret values, and removing secrets when they either get dissocaited from the destination or deleted from Vault.

Setup

The use of this sync destination requires prerequesite setup before beginning to configure it. Either an IAM User or an IAM role must be set with the necessary policies in order for Vault to manage secrets in the external destination. It is this IAM User or IAM Role in AWS for which access credentials will be generated, then provided to Vault during configuration.

The following is an example policy outlining the required permissions to use secrets syncing:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "secretsmanager:Create*",
            "secretsmanager:Put*",
            "secretsmanager:Update*",
            "secretsmanager:Delete*",
            "secretsmanager:TagResource",
            "secretsmanager:UntagResource"
        ],
        "Resource": "*"
    }
    ]
}

Usage

When AWS credentials have been obtained, Vault can be configured to create an AWS destination, then begin to associate your secrets with this destination.

  1. Store any KV secret into Vault, like so:

    $ vault kv put secret/foo mypass=bar

    Output:

    === Secret Path ===
secret/data/foo

======= Metadata =======
Key                Value
---                -----
created_time       2023-09-19T13:17:23.395109Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

  2. Configure the sync destination:

    $ vault write sys/sync/destinations/aws-sm/my-awssm-1 \
access_key_id='AKIAJWVN5Z4FOFT7NLNA' \
secret_access_key='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' \
region='us-east-1'

    Output:

    Key                   Value
---                   -----
connection_details    map[access_key_id:***** region:us-east-1 secret_access_key:*****]
name                  my-awssm-1
type                  aws-sm

  3. Set a secret to be associated with the configured secret destination:

    $ vault write sys/sync/destinations/aws-sm/my-awssm-1/associations/set \
mount='secret' \
secret_name='foo'

    Output:

    Key                   Value
---                   -----
associated_secrets    map[kv_37993f8a/foo:map[accessor:kv_37993f8a secret_name:foo sync_status:SYNCED updated_at:2023-09-19T13:17:35.085581-05:00]]
store_name            aws1
store_type            aws-sm

Troubleshooting

...

API

The AWS Secrets Manager destination has a full HTTP API. Please see the secrets sync API for more details.

Edit this page on GitHub