# Secrets manager

To avoid storing passwords in your OPA config file, you may opt to configure the OPA to retrieve the passwords from an external secrets manager. This allows you to manage and rotate your passwords in the external secrets manager without having to re-configure the OPA each time the passwords change.

# How to setup the OPA Secrets Manager

Provide a secrets profile in your OPA config file.

Field Description
provider The secrets manager. Only AWS Secrets Manager is currently supported.
The region of the secrets manager.
  provider: aws
  region: us-west-1

Next, in the database profile specify which secret to retrieve from the secrets manager.

Use the { secret: '<name>'} format in place of the actual password.

    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: admin
    password: password

    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: { secret: '/workato/opa/sqlserver/username' }
    password: { secret: '/workato/opa/sqlserver/password' }

# AWS Secrets Manager

Connect AWS Secrets Manager (opens new window) directly to the on-premise agent by providing the AWS region in the OPA config file.

Do not store AWS connection credentials within the OPA config file

You do not need to store your AWS connection credentials in the OPA config file. The OPA uses the Default Credential Provider Chain (opens new window) to authenticate its requests to AWS.

# How to setup AWS Secrets Manager


Navigate to the AWS Secrets Manager (opens new window). Select Store a new secret.

AWS Secrets Manager AWS Secrets Manager


Select Other type of secrets and provide the credential as plaintext.

Note: Store the AWS secret value as a raw string (instead of key/value pairs). OPA will get the secret from AWS Secrets Manager and pass the value as-is.

AWS Secrets Manager AWS Secrets Manager


Give this secret a name. This name will be used in your OPA config file to lookup the right password. In this example, since the secret name is /workato/opa/sqlserver/sales_db_password, then the password value to use in the OPA config file is { secret: '/workato/opa/sqlserver/sales_db_password'}.


Lastly, specify if you are using a key rotation.