# Configuring AWS Secrets Manager for On-Prem Agent

In this guide, we'll show you how to use Amazon Web Services Secrets Manager (opens new window) with Workato's On-Prem Agent (OPA) to store database credentials.

When configured, OPA uses the Default Credential Provider Chain (opens new window) to authenticate its requests to AWS, eliminating the need to store credentials in your OPA config file. See Amazon Web Services (AWS) Secrets Manager.

Alternatively, you can choose to manage access at project level, changing secrets manager settings so that connections in the project can use the specified role in the project settings. So, customers can create project-specific IAM roles to limit the use of secrets to connections within the project. See Aazon Web Services (AWS) Secrets Manager for projects.


# Prerequisites

To configure AWS Secrets Manager to work with OPA, you'll need:


# Step 1: Create the Secret in AWS

1

Log in to your AWS console.

2

Use the search bar at the top of the page to open the AWS Secrets Manager (opens new window).

3

Click the Store a new secret button.

4

On the Step 1 - Choose secret type page:

1

In the Secret type section, click Other type of secret.

2

In the Key/value pairs section, click the Plaintext option.

3

In the Plaintext field, enter the password. OPA will retrieve this value and pass it as-is.

Your configuration should look like the following:

Configured Secret Type page in AWS Secrets Manager Configured Secret Type page in AWS Secrets Manager

4

Click Next.

5

On the Step 2 - Configure secret page:

1

Fill in the following fields:

  • Secret name: Enter a name for the secret. You'll add this value to your OPA config file in the next section, which will allow OPA to retrieve the correct password.
  • Description (optional): Enter a brief description of the secret.

Configure Secret page in AWS Secrets Manager Configure Secret page in AWS Secrets Manager

2

When finished, click Next.

6

Optional: On the Step 3 - Configure rotation page, configure rotation for the secret if desired. When finished, click Next.

7

On the Step 4 - Review page:

1

Review the secret's details.

2

If everything looks fine, click Store to create and store the secret.


# Step 2: Configure the OPA Config File

NO CREDENTIALS NEEDED

When configured, OPA will use the Default Credential Provider Chain (opens new window) to authenticate its requests to AWS. This eliminates the need to store your credentials - either those for AWS Secrets Manager or a database - in your OPA config file.

In this step, you'll add info about your secrets manager to your OPA configuration file.

1

In your OPA config file, add a secrets section with provider and region keys:

secrets:
  provider: aws
  region: <YOUR_REGION>
2

For provider, enter aws.

3

For region, enter the region your AWS instance is in:

secrets:
  provider: aws
  region: us-east-1

You can find this info in your AWS console by clicking the region menu at the top of the page, located next to the user menu:

Configure Secret page in AWS Secrets Manager Configure Secret page in AWS Secrets Manager

In this example, the region is us-east-1.

4

Save the file.


# Step 3: Configure the Database Profile

To wrap things up, you'll specify which secret to use in the database's profile.

1

In the config file, navigate to the database's profile.

2

In the password key, use { secret: '<SECRET_NAME>'} to specify the secret. The <SECRET_NAME> must match the name of the secret you created in Step 1:

database:
  sales_database:
    adapter: sqlserver
    host: localhost
    port: 1433
    database: test
    username: sales_user
    password: { secret: 'sales-db-password-password' }
3

Save the file.