AWS Secrets Manager
AWS Secrets Manager manages keys, secrets, and certificates in the AWS portal. Several functions in the Data Productivity Cloud require access to these resources.
Creating secrets in AWS Secrets Manager
- A secret can be used for hosting a password for the connection to a source database or for hosting a private key.
- If you need to store multiple passwords and keys, these should each be in a separate secret.
- Log into your AWS account. This should be the same account that you use with the Data Productivity Cloud.
- Browse to the AWS Secrets Manager service.
- Click Store a new secret.
- Select Other type of secret.
- In the Plaintext field, enter your secret. The secret must be in plaintext. Clear the JSON formatting from the field first; the JSON parser returns a token error if the key is stored in JSON format and parsed out in the code.
- In the Encryption key field, we advise leaving the field blank so Secrets Manager automatically provisions the KMS key. If you opt to use a customer-managed KMS key, you will need to give your agent access to a custom key if used.
- Click Next.
- Give your secret a Secret name to identify it. The secret name will be used by the Data Productivity Cloud to locate and use the correct key.
You do not need to give individual Resource permissions as this key is being used by services within the same account. Our best-practice guidelines are therefore to ignore this option.
- If you expect to access this key from another AWS account, consult your administrator for the required access permissions.
- This isn't the same as granting permission to other resources to access the key. Read Permissions after creating your secret for more information on this.
Click Next and then Next again on the Configure rotation page.
- Review your new secret and click Store when satisfied.
- Click back into your new secret and note down the Secret ARN. You may need to invoke the ARN within the Data Productivity Cloud—when you create an agent, for example.
Your Data Productivity Cloud agent will require the following AWS Secrets Manager permission:
To learn more, read IAM Roles.