Configure an AWS Secrets Manager Value Credential Provider

The AWS Secrets Manager Credential Provider uses the AWS Secrets Manager Credential Provider Integration to enable you to retrieve secrets stored in AWS Secrets Manager.

Prerequisites

You must have the following to create a AWS Secrets Manager Credential Provider:

• A completed AWS Secrets Manager Credential Provider Integration
• A Compatible Server Workload that supports the AWS Secrets Manager Credential Provider
• An AWS Secrets Manager secret that you want to use with this Credential Provider

Compatible Server Workloads

This credential provider supports secrets stored in either plain text or JSON formats.

Plain Text Secrets: Aembit retrieves the entire secret value and passes it as the credential.

JSON Secrets: When using the JSON format, the Credential Value Type dropdown determines how the credential provider extracts values:

• Single: Extracts one value from the JSON using a specified key
• Username/Password: Extracts two values from the JSON using separate keys for username and password

When you configure a Server Workload to use the AWS Secrets Manager Credential Provider, you must select the appropriate Credential Type based on the secret format.

Note

While Secrets Manager can store any type of data (text, JSON, XML, etc.), this Credential Provider retrieves and passes along whatever value Secrets Manager has stored in it. For Single and Username/Password types, the Credential Provider expects valid JSON format so it can parse and extract specific values using the configured keys.

Private Network Access

Normally, if you’ve restricted Secrets Manager to a private network, such as an AWS VPC, Aembit Cloud can’t reach it. However, you can configure your Credential Provider to use Aembit Edge Components (Aembit CLI or Agent Proxy) to access Secrets Manager using the Private Network Access option.

When you enable Private Network Access when configuring the AWS Secrets Manager Value Credential Provider, Aembit Cloud doesn’t directly access AWS Secrets Manager. Instead, it communicates with the Aembit CLI or Agent Proxy running in your private network. The Aembit CLI or Agent Proxy then retrieves the secret from AWS Secrets Manager and returns it to Aembit Cloud.

Minimum version requirement

Private Network Access requires Aembit CLI or Agent Proxy version 1.25+

Credential Provider configuration

To configure an AWS Security Token Service Federation Credential Provider, follow these steps:

1. Log into your Aembit Tenant.

2. Go toCredential Providers in the left sidebar.

   Aembit directs you to the Credential Providers page displaying a list of existing Credential Providers. In this example, there are no existing Credential Providers.

   

3. Click + New.

   This opens the Credential Providers dialog window.

4. Enter a Name and optional Description for the Credential Provider.

5. For Credential Type, select AWS Secrets Manager Value.

6. For Credential Provider Integration, select the desired AWS Secrets Manager Credential Provider Integration.

   If you select an integration with Populate Secrets ARNs turned on, the next field changes to a dropdown menu.

7. In the AWS Secrets Manager Secret ARN field, you have two options depending on the Credential Provider Integration:

   • Without Populate Secrets ARNs - Enter the Amazon Resource Name (ARN) of the AWS Secrets Manager secret that you want to use for this Credential Provider.

   • With Populate Secrets ARNs - Select or search for an existing secret from the dropdown list. Aembit populates this list with the secrets available in your AWS account that match the integration you selected.

   AWS Secrets Manager Secret ARN location

   You can find the ARN of an AWS Secrets Manager secret in the AWS Management Console under Secrets Manager -> Secrets, then select the secret you want to use. AWS displays the secret ARN at the top of the secret’s Details page.

8. For Credential Value Type, select the type of credential you want to retrieve from AWS Secrets Manager.

   The options are:

   • Plain Text - Retrieve the entire secret value as a single credential.
   • Single Value - Retrieve a single value from the JSON secret using a specified key.
   • Username/Password - Retrieve two values from the JSON secret using separate keys for username and password.

   See the Compatible Server Workloads section for details on how each type interacts with Server Workloads.

9. Depending on the Credential Value Type you selected, additional fields may appear:

   • Secret Key - If you selected Single Value, enter the secret key to extract the value from the JSON secret.
   • Username & Password Key - If you selected Username/Password, enter the key for the username in the JSON secret.
   1. Select Private Network Access if your AWS Secrets Manager secret is in a private network (such as an AWS VPC) and you want to access it through Aembit Edge Components (Aembit CLI or Agent Proxy).

   Once completed, the form should look similar to the following screenshot:

   

10. Click Save.

    Aembit creates the new AWS Secrets Manager Credential Provider and displays it in the list of Credential Providers. You can now use this Credential Provider with your Server Workloads.