Environment Variables
| Variable | Required | Notes |
|---|---|---|
SECRETS_MANAGER_TYPE | Yes | Set to aws_secrets_manager. |
SECRETS_MANAGER_REGION | Yes | AWS region for Secrets Manager API calls. |
SECRETS_MANAGER_ACCESS_KEY_ID | Optional | Use with SECRETS_MANAGER_SECRET_ACCESS_KEY for static credentials. |
SECRETS_MANAGER_SECRET_ACCESS_KEY | Optional | Use with SECRETS_MANAGER_ACCESS_KEY_ID for static credentials. |
SECRETS_MANAGER_ROLE_ARN | Optional | Role to assume. |
SECRETS_MANAGER_EXTERNAL_ID | Optional | External ID when required by role trust policy. |
- Static access keys.
- Assume role (
SECRETS_MANAGER_ROLE_ARN) with a valid base identity. - Default AWS credential chain.
Create AWS Resources and Credentials
- Pick the region where secrets will be stored.
- Create an IAM identity for
wonderful-secrets:- User flow: IAM -> Users -> Create user.
- Role flow: IAM -> Roles -> Create role.
- Grant Secrets Manager permissions. Minimum actions:
secretsmanager:GetSecretValuesecretsmanager:CreateSecretsecretsmanager:UpdateSecretsecretsmanager:DeleteSecretsecretsmanager:RestoreSecret
- If using static credentials:
- IAM -> Users ->
<user>-> Security credentials -> Create access key. - Copy Access key ID and Secret access key.
- IAM -> Users ->
- If using role assumption:
- IAM -> Roles ->
<role>-> copy role ARN. - If trust policy requires external ID, copy that value too.
- IAM -> Roles ->
Map Credentials to Env Vars
| AWS value | Env var |
|---|---|
| Region | SECRETS_MANAGER_REGION |
| Access key ID | SECRETS_MANAGER_ACCESS_KEY_ID |
| Secret access key | SECRETS_MANAGER_SECRET_ACCESS_KEY |
| Role ARN | SECRETS_MANAGER_ROLE_ARN |
| External ID | SECRETS_MANAGER_EXTERNAL_ID |
Local Switch Example
wonderful-secrets after changing these values.
What to Verify
- Run the smoke test from Secret Managers.
- Confirm secrets are created in AWS Secrets Manager.