Skip to main content
Use AWS Secrets Manager to store sensitive data like passwords and API keys. Values are retrieved at runtime without exposing secrets in your workflow.

Setup

Create a Secret in AWS

  1. Go to the AWS Secrets Manager console
  2. Click Store a new secret
  3. Choose Other type of secret (key/value pairs or plain text)
  4. Name your secret (e.g. my-app/prod/login)
  5. Note the secret name and the AWS region it was created in

Create IAM Credentials

  1. Go to the IAM console
  2. Create a user or role with the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>*"
    }
  ]
}
  1. Generate an access key and copy the credentials

Configure Environment

Add them directly on the Integrations page of the dashboard, or add to your .env file: 
AWS_ACCESS_KEY_ID=your_access_key_id
AWS_SECRET_ACCESS_KEY=your_secret_access_key

Usage

Move parameters from input_parameters to secure_parameters: Before: 
{
  "input_parameters": {
    "password": ["password_value"]
  }
}
After (plain string secret): 
{
  "secure_parameters": {
    "password": [{
      "amazon_secrets_manager": {
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "password"
      }
    }]
  }
}
After (JSON secret — extract a single key): If your secret is stored as a JSON object like {"username": "admin", "password": "s3cr3t"}, use the key field to pluck the value you need: 
{
  "secure_parameters": {
    "password": [{
      "amazon_secrets_manager": {
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "password"
      }
    }]
  }
}

Properties

PropertyTypeDefaultDescription
secret_namestrRequiredName or ARN of the secret in AWS Secrets Manager
region_namestrRequiredAWS region where the secret is stored (e.g. "us-east-1")
keystrnullKey to extract from the secret (plain string or JSON object)
typestrnullSet to "totp_secret" to generate TOTP codes
digitsintnullRequired when type is "totp_secret" (e.g. 6)

TOTP from AWS Secrets Manager

Store a TOTP secret in AWS Secrets Manager and generate codes at runtime: 
{
  "secure_parameters": {
    "auth_code": [{
      "amazon_secrets_manager": {
        "type": "totp_secret",
        "secret_name": "my-app/prod/totp",
        "region_name": "us-east-1",
        "digits": 6
      }
    }]
  }
}
If the TOTP secret is stored inside a JSON object, combine key with type: "totp_secret": 
{
  "secure_parameters": {
    "auth_code": [{
      "amazon_secrets_manager": {
        "type": "totp_secret",
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "totp_secret",
        "digits": 6
      }
    }]
  }
}
See TOTP Integration for more 2FA options.

Revoking Access

Deactivate or delete the IAM access key from the AWS console at any time to immediately revoke access.