HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Integrate with AWS Secrets Manager

HCP Vault Secrets allows users to automatically synchronize application secrets to AWS Secrets Manager. This guide walks you through the configuration process.

Prerequisites:

  • Ability to create AWS IAM roles
  • Ability to create AWS IAM policies
  • An Admin role in an HCP Project
  • An HCP Vault Secrets application and secret(s)

Configuration

  1. Navigate to the HCP Vault Secrets app you would like to integrate with your AWS account. From the sidebar, select Integrations then click on the AWS Secrets Manager card to initiate the setup.

    Integration - AWS Sync

    If this is your first time configuring an AWS integration, you will be presented with four fields:

    • Destination Name is the unique identifier and display name for this integration. It cannot be changed.
    • External ID is a unique auto-generated value used in your AWS account to securely delegate access to HCP Vault Secrets. It will be needed when configuring your AWS IAM role.
    • Role ARN is a AWS IAM role identifier that HCP Vault Secrets will assume in your AWS account. Instructions to provision this role can be found below.
    • Region is the AWS region where your app secrets will be stored.

    Add sync destination UI

  2. Once all fields are populated, click Save and sync secrets to complete the configuration process. It will immediately sync all your existing app secrets into your AWS Secrets Manager.

Going forward, all modification to the app's secrets are automatically replicated in your AWS account almost instantly.

Create IAM Role

The following sections provide step-by-step guidance to configure the AWS IAM role in your AWS account that HCP Vault Secrets will assume using the AWS console or HashiCorp Terraform.

  1. Navigate to the Create New Policy section in the AWS IAM service

    1. Select the JSON tab

    2. Paste the following into the permissions policy editor:

      {
   "Version": "2012-10-17",
   "Statement": [
      {
            "Sid": "HCPVaultSecretsAccess",
            "Effect": "Allow",
            "Action": [
               "secretsmanager:DescribeSecret",
               "secretsmanager:GetSecretValue",
               "secretsmanager:CreateSecret",
               "secretsmanager:PutSecretValue",
               "secretsmanager:UpdateSecret",
               "secretsmanager:UpdateSecretVersionStage",
               "secretsmanager:DeleteSecret",
               "secretsmanager:RestoreSecret",
               "secretsmanager:TagResource",
               "secretsmanager:UntagResource"
            ],
            "Resource": "*"
      }
   ]
}

    3. Optionally provide tags

    4. Name your policy

    5. Click Create Policy

  2. Navigate to the Create New Role section in the AWS IAM service

    1. Select Custom trust policy option

    2. Paste the following into the trust policy editor:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::879554817125:role/HCPVaultSecrets_Sync"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<AWS_EXTERNAL_ID>"
                }
            }
        }
    ]
}

    3. Populate the <AWS_EXTERNAL_ID> value with the AWS External ID of your HCP project.

      Note

      Your External ID can be found by navigating to the AWS sync integration page in HCP.

    4. Attach the Policy that was created in the previous step

    5. Name your role

    6. Click Create Role

  3. View the Role you created and copy its ARN

  4. You now have everything you need to complete the configuration process!