AWS Secrets Manager

This secret source utilizes the AWS Secrets Manager service.

This source includes a cache for values. This avoids repeatedly querying for the same value e.g. if it’s used by multiple providers. Currently secrets are only pulled at once at startup, however in the future this might be changed to re-pull periodically or upon configuration changes. Therefore it is advised to think through how often your secrets might rotate when configuring the TTL value, even though currently it only need to be a small value to span the initial start-up of the application.

Secrets Manager places secrets inside a JSON structure if configured through the console. To support that keys should be in the structure of id:key with id being the ID of the secret as a whole and key being the key from the JSON Object stored in the secret. If the secret isn’t JSON then you only need to supply the id by itself. You can override the separator used to be any value rather than a colon (:).

This supports the standard means of authenticating with AWS. Ensure your user/role includes permission both to retrieve the secrets as well as permission to use the relevant KMS key to decrypt it.

Name should be "awssecretsmanager"

Configuration options:

Parameter	Description	Type	Required	Default
separator	How to separate the Id of the secret from the JSON key in the secret name as a whole	string	No	:
ttl	How long to cache secrets in seconds. Cache disabled if less than 0.	int	No	1 hour
region	The AWS region containing the bucket. Required if region is not specified via other means. Consult AWS documentation for possible values	string	No	None
access	The AWS Access Key ID to authenticate with. This is not recommended; it is offered as a fallback authentication method only. Consult AWS documentation for better options	string	No	None
secret	The AWS Secret Key to authenticate with. This is not recommended; it is offered as a fallback authentication method only. Consult AWS documentation for better options	string	No	None
profile	The profile to use to authenticate against the AWS API. Consult AWS documentation for specifics	string	No	None

Parameter

Description

Type

Required

Default

separator

How to separate the Id of the secret from the JSON key in the secret name as a whole

string

ttl

How long to cache secrets in seconds. Cache disabled if less than 0.

int

1 hour

region

The AWS region containing the bucket. Required if region is not specified via other means. Consult AWS documentation for possible values

string

None

access

The AWS Access Key ID to authenticate with. This is not recommended; it is offered as a fallback authentication method only. Consult AWS documentation for better options

string

None

secret

The AWS Secret Key to authenticate with. This is not recommended; it is offered as a fallback authentication method only. Consult AWS documentation for better options

string

None

profile

The profile to use to authenticate against the AWS API. Consult AWS documentation for specifics

string

None