Skip to content

Add agent credentials to AWS Secrets Manager

This page is a guide to adding your agent credentials to AWS Secrets Manager.

This only applies to customer hosted agents in a Hybrid SaaS solution.

Adding agent credentials to Secrets Manager ensures that, when using an agent you are hosting in your own cloud infrastructure, your credentials aren't passed to the Matillion control plane, keeping your secrets in your own infrastructure. Even when a pipeline refers to a secret, it's resolved at run time by the agent, with only references to the secret being stored in the Data Productivity Cloud.

Locate your agent credentials

  1. Log in to Hub.
  2. Click Platform Navigation and choose Matillion Start.
  3. Choose Manage Agents.
  4. Select an agent. If you haven't created one yet, read Create an agent.
  5. In Agent details, scroll down to Credentials.
  6. Click Reveal credentials.

Add your credentials to AWS Secrets Manager

  1. Log in to the AWS Console.
  2. Once logged in, type "Secrets Manager" in the search bar and click Secrets Manager.
  3. Click Store a new secret.
  4. Choose the tile labelled Other type of secret.
  5. Add two key:value pairs:
Key Value
client_id The value of the client ID located via Matillion StartManage Agents → select an agent → Agent DetailsCredentialsReveal credentials.
client_secret The value of the client secret located via Matillion StartManage Agents → select an agent → Agent detailsCredentialsReveal credentials.
  1. Click Next.
  2. Name the secret and provide a secret description. Click Next.
  3. Click Next again unless you wish to configure rotation settings.
  4. Review the secret and click Store. You'll return to Secrets. Refresh the page.

Retrieve the ARN of your new secret

  1. While in the Secrets dashboard of AWS Secrets Manager, click the name of your new secret.
  2. In the Secret details container, copy the Secret ARN and save this value for later to reference it in the task definition.

You may need provide permissions to the new secret by adding access to your new ARN to the IAM ECS task execution role that is referenced by the Task definition. For more information see ECS task role heading under AWS IAM roles.