Prerequisites:

  • Set up and add envars to Infisical Cloud
  • Set up AWS and have/create an IAM user
1

Grant the IAM user permissions to access AWS Secrets Manager

Navigate to your IAM user permissions and add a permission policy to grant access to AWS Secrets Manager.

For better security, here’s a custom policy containing the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager for the IAM user that you can use:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSecretsManagerAccess",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:DescribeSecret", // if you need to add tags to secrets
        "secretsmanager:TagResource", // if you need to add tags to secrets
        "secretsmanager:UntagResource", // if you need to add tags to secrets
        "kms:ListKeys", // if you need to specify the KMS key
        "kms:ListAliases", // if you need to specify the KMS key
        "kms:Encrypt", // if you need to specify the KMS key
        "kms:Decrypt" // if you need to specify the KMS key
      ],
      "Resource": "*"
    }
  ]
}
2

Authorize Infisical for AWS Secrets Manager

Obtain a AWS access key ID and secret access key for your IAM user in IAM > Users > User > Security credentials > Access keys

Navigate to your project’s integrations tab in Infisical.

Press on the AWS Secrets Manager tile and input your AWS access key ID and secret access key from the previous step.

3

Start integration

Select how you want to integration to work by specifying a number of parameters:

Project Environment
string
required

The environment in Infisical from which you want to sync secrets to AWS Secrets Manager.

Secrets Path
string
required

The path within the preselected environment form which you want to sync secrets to AWS Secrets Manager.

AWS Region
string
required

The region that you want to integrate with in AWS Secrets Manager.

Mapping Behavior
string
required

How you want the integration to map the secrets. The selected value could be either one to one or one to many.

AWS SM Secret Name
string
required

The secret name/path in AWS into which you want to sync the secrets from Infisical.

Optionally, you can add tags or specify the encryption key of all the secrets created via this integration:

Secret Tag
string

The Key/Value of a tag that will be added to secrets in AWS. Please note that it is possible to add multiple tags via API.

Encryption Key
string

The alias/ID of the AWS KMS key used for encryption. Please note that key should be enabled in order to work and the IAM user should have access to it.

Then, press Create Integration to start syncing secrets to AWS Secrets Manager.

Infisical currently syncs environment variables to AWS Secrets Manager as key-value pairs under one secret. We’re actively exploring ways to help users group environment variable key-pairs under multiple secrets for greater control.

Please note that upon deleting secrets in Infisical, AWS Secrets Manager immediately makes the secrets inaccessible but only schedules them for deletion after at least 7 days.