> ## Documentation Index
> Fetch the complete documentation index at: https://docs.optexity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Secrets Manager Integration

> Store and retrieve secrets securely using AWS Secrets Manager

Use AWS Secrets Manager to store sensitive data like passwords and API keys. Values are retrieved at runtime without exposing secrets in your workflow.

## Setup

### Create a Secret in AWS

1. Go to the [AWS Secrets Manager console](https://console.aws.amazon.com/secretsmanager)
2. Click **Store a new secret**
3. Choose **Other type of secret** (key/value pairs or plain text)
4. Name your secret (e.g. `my-app/prod/login`)
5. Note the secret name and the AWS region it was created in

### Create IAM Credentials

1. Go to the [IAM console](https://console.aws.amazon.com/iam)
2. Create a user or role with the following policy:

```json theme={null}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>*"
    }
  ]
}
```

3. Generate an access key and copy the credentials

### Configure Environment

Add them directly on the **Integrations** page of the dashboard, or add to your `.env` file:

```bash theme={null}
AWS_ACCESS_KEY_ID=your_access_key_id
AWS_SECRET_ACCESS_KEY=your_secret_access_key
```

***

## Usage

Move parameters from `input_parameters` to `secure_parameters`:

**Before:**

```json theme={null}
{
  "input_parameters": {
    "password": ["password_value"]
  }
}
```

**After (plain string secret):**

```json theme={null}
{
  "secure_parameters": {
    "password": [{
      "amazon_secrets_manager": {
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "password"
      }
    }]
  }
}
```

**After (JSON secret — extract a single key):**

If your secret is stored as a JSON object like `{"username": "admin", "password": "s3cr3t"}`, use the `key` field to pluck the value you need:

```json theme={null}
{
  "secure_parameters": {
    "password": [{
      "amazon_secrets_manager": {
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "password"
      }
    }]
  }
}
```

***

## Properties

| Property      | Type  | Default  | Description                                                  |
| ------------- | ----- | -------- | ------------------------------------------------------------ |
| `secret_name` | `str` | Required | Name or ARN of the secret in AWS Secrets Manager             |
| `region_name` | `str` | Required | AWS region where the secret is stored (e.g. `"us-east-1"`)   |
| `key`         | `str` | `null`   | Key to extract from the secret (plain string or JSON object) |
| `type`        | `str` | `null`   | Set to `"totp_secret"` to generate TOTP codes                |
| `digits`      | `int` | `null`   | Required when `type` is `"totp_secret"` (e.g. `6`)           |

***

## TOTP from AWS Secrets Manager

Store a TOTP secret in AWS Secrets Manager and generate codes at runtime:

```json theme={null}
{
  "secure_parameters": {
    "auth_code": [{
      "amazon_secrets_manager": {
        "type": "totp_secret",
        "secret_name": "my-app/prod/totp",
        "region_name": "us-east-1",
        "digits": 6
      }
    }]
  }
}
```

If the TOTP secret is stored inside a JSON object, combine `key` with `type: "totp_secret"`:

```json theme={null}
{
  "secure_parameters": {
    "auth_code": [{
      "amazon_secrets_manager": {
        "type": "totp_secret",
        "secret_name": "my-app/prod/login",
        "region_name": "us-east-1",
        "key": "totp_secret",
        "digits": 6
      }
    }]
  }
}
```

<Tip>
  See [TOTP Integration](/docs/advanced/totp-integration) for more 2FA options.
</Tip>

***

## Revoking Access

Deactivate or delete the IAM access key from the AWS console at any time to immediately revoke access.
