Configure an AWS Secrets Manager Value Credential Provider

The AWS Secrets Manager Credential Provider uses the AWS Secrets Manager Credential Provider Integration to enable you to retrieve secrets stored in AWS Secrets Manager.

Prerequisites

You must have the following to create a AWS Secrets Manager Credential Provider:

• A completed AWS Secrets Manager Credential Provider Integration
• A Compatible Server Workload that supports the AWS Secrets Manager Credential Provider
• An AWS Secrets Manager secret that you want to use with this Credential Provider

Compatible Server Workloads

This credential provider supports secrets stored in either plain text or JSON formats.

Plain Text Secrets: Aembit retrieves the entire secret value and passes it as the credential.

JSON Secrets: When using the JSON format, the Credential Value Type dropdown determines how the credential provider extracts values:

• Single: Extracts one value from the JSON using a specified key
• Username/Password: Extracts two values from the JSON using separate keys for username and password

When you configure a Server Workload to use the AWS Secrets Manager Credential Provider, you must select the appropriate Credential Type based on the secret format.

Note

While Secrets Manager can store any type of data (text, JSON, XML, etc.), this Credential Provider retrieves and passes along whatever value Secrets Manager has stored in it. For Single and Username/Password types, the Credential Provider expects valid JSON format so it can parse and extract specific values using the configured keys.

Credential Provider configuration

To configure an AWS Security Token Service Federation Credential Provider, follow these steps:

1. Log into your Aembit Tenant.

2. In the left sidebar menu, go to Credential Providers.

   Aembit directs you to the Credential Providers page displaying a list of existing Credential Providers. In this example, there are no existing Credential Providers.

   

3. Click + New.

   This opens the Credential Providers dialog window.

4. In the Credential Providers dialog window, enter the following information:

   • Name - Name of the Credential Provider.

   • Description - An optional text description of the Credential Provider.

   • Credential Type - A dropdown menu that enables you to configure the Credential Provider type. Select AWS Secrets Manager Value.

     This reveals the remaining fields in the dialog window.

   • AWS IAM Role Credential Provider Integration - Select the AWS Secrets Manager Credential Provider Integration that you created earlier.

   • AWS Secrets Manager Secret ARN - Enter the Amazon Resource Name (ARN) of the AWS Secrets Manager secret that you want to use for this Credential Provider.

     AWS Secrets Manager Secret ARN location

     You can find the ARN of an AWS Secrets Manager secret in the AWS Management Console under Secrets Manager -> Secrets, then select the secret you want to use. AWS displays the secret ARN at the top of the secret’s Details page.

     • Credential Type - Select the type of credential you want to retrieve from AWS Secrets Manager. The options are:

       • Plain Text - Retrieve the entire secret value as a single credential.
       • Single Value - Retrieve a single value from the JSON secret using a specified key.
       • Username/Password - Retrieve two values from the JSON secret using separate keys for username and password.

       See the Compatible Server Workloads section for details on how each type interacts with Server Workloads.

   Once completed, it should look similar to the following screenshot:

   

5. Click Save.

   Aembit creates the new AWS Secrets Manager Credential Provider and displays it in the list of Credential Providers. You can now use this Credential Provider with your Server Workloads.