Ataccama ONE Agentic Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
latest (17.0.0) 16.3.0 16.2.0 16.1.0 16.0.0 15.4.0 15.3.0 15.2.0 15.1.0 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads

AWS Secrets Manager Integration

Integrate ONE with AWS Secrets Manager to retrieve secrets when connecting to data sources.

Create new AWS Secrets Manager integration

  1. Go to Global Settings > Application Settings > Secret Management.

    Add new service

  2. Select Add.

  3. Provide the following information:

    • General

      1. Provider: The key vault or secret manager you are connecting to. Select AWS Secrets Manager.

      2. Name: A unique name for this service.

      3. Description (Optional): A description for this service.

      4. Endpoint: The complete URL of the AWS Secrets Management Service. For more information, see the AWS Secrets Manager endpoints and quotas documentation.

        For example, for the us-east-2 region, the endpoint is: secretsmanager.us-east-2.amazonaws.com.

      5. AWS Secret Name: The secret name as defined in AWS Secrets Manager. Secrets in AWS are stored as key/value pairs. For example: dev-test-credentials.

        AWS Secrets Manager - Create secret

      6. AWS Region: The AWS region where the secret is stored. Select the region that matches your AWS Secrets Manager configuration.

    • Authentication method: Select AWS Access Key Credentials.

      To use access key credentials, the connecting user requires the following permissions in AWS:

      • secretsmanager:GetSecretValue: Allows getting all secret values from the secret name.

      • secretsmanager:DescribeSecret: Allows describing the secret name.

      • secretsmanager:ListSecrets: Allows listing all secret names.

      Example IAM policy 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadSpecificSecret",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:eu-central-1:550762553500:secret:di-test-credentials-cw1JVS"
            ]
        },
        {
            "Sid": "ListSpecificSecret",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:ListSecrets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

      1. Name: A unique name for the credentials.

      2. Description (Optional): A description for this service.

      3. Access Key: The AWS access key ID.

      4. Secret Key: The AWS secret access key.

      5. Enable assumed role (Optional): Turned off by default. Select this option if you need to assume an IAM role to access secrets.

        • Access Key with Assumed Role

          Use this method when you need to assume an IAM role to access secrets, for example, in cross-account setups.

          To use access key credentials with assumed role, the assumed role must have the following permissions in AWS:

          • secretsmanager:GetSecretValue: Allows getting all secret values from the secret name.

          • secretsmanager:DescribeSecret: Allows describing the secret name.

          • secretsmanager:ListSecrets: Allows listing all secret names.

          Provide the following:

          AWS Secrets Manager Assume Role configuration

      6. Amazon Resource Name (ARN): The ARN of the IAM role you want to assume. For example: arn:aws:iam::123456789123:role/myAwesomeRole.

      7. External ID: If the role’s trust relationship in AWS uses an external ID for cross-account access, enter it here. For example: prod-eu.

        This field is required if using a cross-account S3 connection setup.

      8. Session Name: A name for the session to identify the connection in AWS logs. The value must consist of uppercase and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _, =, ,, ., @, -.

        You can provide a default value, such as Ataccama_One.

      9. STS Region: The AWS region in which you want to use the STS service. For example: eu-central-1 or us-east-1.

  4. Select Test to test the connection.

    If the connection is successful, select Save. Otherwise, verify that your configuration is correct.

Usage examples

Example using username and password

  1. In Data Catalog > Sources > [your source] > Add Connection, select Add Credentials.

  2. Select Credential type from the options provided:

    • Username and password

      Configure credentials username and password

      1. Name: A unique name for this set of credentials.

      2. Description (Optional): A description for this service.

      3. Select a secret management service: Select the AWS Secrets Manager you configured.

      4. Username

        1. Select the Use secret management service option.

          You can enable Use secret management service to retrieve the username, but it is not necessary as usernames can generally be shared and entered manually.

        2. Username (secret name): Enter the key name under which the username is stored in your AWS secret’s key/value pairs.

      5. Password

        1. Select the Use secret management service option.

        2. Password (secret name): Enter the key name under which the password is stored in your AWS secret’s key/value pairs.

          The secret name refers to the key in the key/value pair stored within the AWS secret you specified when configuring the integration.

  3. Select Test to test the connection. If the connection is successful, select Save. Otherwise, verify that your configuration is correct.

Was this page useful?