Skip to main content
Version: Early Access

Managing secrets using AWS SecretsManager

Overview

The AWS Secrets Manager plugin integrates Deploy with AWS Secrets Manager, enabling secure retrieval of sensitive data such as database passwords, API keys, or other credentials stored in AWS Secrets Manager during deployment.

Prerequisites

Ensure the following before integrating the AWS Secrets Manager plugin with Deploy:

  • The AWS plugin is installed. For more information, see AWS plugin.
  • You have the following AWS credentials:
    • Access Key ID
    • Secret Access Key
    • Session token

How It Works?

You can set up the AWS Secrets Manager plugin to use external dictionaries within your environments. Additionally, you can create an AWS Secrets Manager-based lookup provider that retrieves and resolves key/value pairs stored in AWS Secrets Manager.

note

Deploy does not save or cache key/value information stored in AWS Secrets Manager.

Use External AWS Secrets Manager Based Dictionaries

  • Manage an external AWS Secrets Manager dictionary similar to internal dictionaries in Deploy.For more information, see manage internal dictionaries in Deploy
  • Assign an AWS Secrets Manager-based dictionary to an environment.
  • During deployment, key/value pairs stored in AWS Secrets Manager replaces the defined placeholders in the deployment environment.

Use an External AWS Secrets Manager Lookup Provider

For secrets and password fields in certain CIs, establish an AWS Secrets Manager-based lookup provider to look up a value based on a specified key. For more information, see Create an external lookup value provider.

User Access Control

Deploy provides controls to manage access to sensitive data, ensuring:

  • Developers are authenticated and authorized to read secrets.
  • Role-based access to secrets.
  • Policies control credentials and their usage. The integration with AWS Secrets Manager is controlled by the connection to the AWS Secrets Manager server and the specific list of keys (Secret paths) that you can access.

Install the Plugin

To install the plugin:

  1. Download the Deploy AWS Secret Manager integration plugin from the distribution site.
  2. Place the plugin inside the XL_DEPLOY_SERVER_HOME/plugins/ directory.
  3. Restart Deploy.

For more information, see Install or remove Deploy plugins

Create a AWS Cloud Connection

Deploy supports the AWS Secret Manager integration using a 'Server' Configuration Item (CI)type.This allows you to configure a connection to an AWS server to read key values.

To create a new connection, perform the following steps:

  1. Go to Infrastructure, click Alt, and select New > aws > Cloud.
  2. Enter a name for the AWS Cloud connection in the Name field.
  3. Enter Access Key ID, Secret Access Key, and Session token.
  4. Complete optional fields as needed.
  5. Click Save or Save and close. You can now see the connection under Infrastructure.

Alt

  1. To check the connection, hover over the connection created, click Check connection and execute the task. Once the connection succeeds, select Finish.

Enable a Secret Manager Server

To enable secret manager server, perform the following steps:

  1. Go to Configuration, click Alt, and select New > secrets > aws > secretsamanager > Server. Alt
  2. Enter a name for the secrets server in the Name field.
  3. Select the created AWS cloud connection, Secret Name and Region. Alt
  4. Click Save or Save and close.

Create an External Dictionary

After defining your external server connection, create a dictionary to associate with your environments:

To create an external dictionary, perform the following steps:

  1. Go to Environments, click Alt, and select New > secrets > aws> secretsmanager > Dictionary. Alt
  2. Enter a name for the AWS dictionary in the Name field.
  3. In the AWS Secrets Manager field, enter the name of the server connection you created earlier.
  4. In the Secret Names field, add one or more secret paths where key-value pairs are stored.
  5. Click Save or Save and close. Alt

Create an External Lookup Value Provider

Specify properties for a CI to be looked up in an external source. This is useful for sensiive data that are not part of a deployment package, such as hosts or cloud targets.

To create AWS Secrets Manager lookup provider, perform the following steps:

  1. Go to Configuration, click Alt, and select New > secrets > aws > secretsmanager > LookupValueProvider.
  2. Enter a name for the AWS lookup provider in the Name field.
  3. In the AWS Secrets Manager field, select the name of the server connection you created earlier.
  4. Click Save or Save and close.

Alt

Lookup Secrets

After creating an external lookup value provider, you can now select it and choose a key when configuring properties for certain CIs. For example, to store and resolve a password for a host CI:

  1. Go to Infrastructure, click Alt, and select New > overthere > SshHost.
  2. Enter the required fields for the CI.
  3. In the SU password field, click Value lookup toggle button and select the LookupProvider you created.
  4. Click Save or Save and Close.