# Setting up Secrets Management for Projects

As an alternative to an individual secret for each user, you can manage access at the level of the project.

You must change secrets manager settings so that connections in the project can use the specified role in the project settings. Customers can then create project-specific IAM roles to limit the use of secrets to connections within the project.

WARNING

Switching to project-specific secrets management causes all previously configured external secrets references to stop working. Projects that use secrets stored in AWS Secrets Manager must be set up individually in Project settings.

NOTE

In the example used in this article, we chose to demonstrate a simple example of configuring the AWS external role ID without changing the IAM permissions policy.

If your organization requires different roles scoped to different access permissions, we recommend that you configure these new permissions by setting the scope to specific secret resources. This enables you to have more granular control over which connection credentials to use in each project.


# Prerequisites

To complete the steps in this guide, you must have the following:

  • In Workato:

    • An account with Advanced Security & Compliance advanced functionality. For more information, contact your Workato Customer Success Manager.
  • In Amazon Web Services (AWS):

    • Permissions that allow you to create and modify IAM permissions policies
    • Permissions that allow you to create and modify IAM roles

# Step 1: Select the scope for secrets management

1

Sign in to your Workato account.

2

Navigate to Settings > Secrets management.

3

In Scope, select the option “Set up secrets management for each project individually”.

Workato secrets management, selecting project scope

4

If you have previously set up Secrets Management at the Workspace level, Workato notifies you that All previously configured references to external secrets will stop working.

Remember that you must now set up secrets in each project individually.

5

Click Save changes.

6

If you are switching Secrets management scopes, Workato asks that you confirm switching from secrets management at workspace level, to project level.

Workato secrets management, confirm project level

Click Use project-specific secrets.

# Step 2: Select the project

1

In Workato, navigate to your projects.

2

Select the project that you plan to configure with secrets management.

3

In the project, navigate to Settings > Secrets management.

Secrets management interface of a project

4

In the Which secrets manager do you want to use? field, select AWS secrets manager.

5

The Workato interface displays the guides for some of the next steps of the process:

  • Create a new permission policy and role in AWS; see Step 4
  • Add the role to your Workato account; see Step 4

Next steps in Workato

# Step 3: Select the AWS Account ID and external ID

1

In the Create a new permission policy and role in AWS guide detail, Workato displays the IAM details. Note them to use in the following steps:

AWS Account ID
Copy the AWS Account ID value, to use in ongoing configuration of the secrets manager.
External ID for ProjectName
Copy the value, to use in ongoing configuration of the secrets manager.
Here, we configure access to the project WorkatoDB_Project1.
The value should be of the form workato_iam_external_id_wwwww_pppp, where wwwww is the ID of the Workato workspace, and pppp is the ID of the project.

ID values for AWS project secrets manager

2

Do not close this interface; you use it to complete Step 4.2: Add the role ARN in Workato.


# Step 4: Create an AWS IAM role for your Workato project

# Step 4.1: Create an IAM permissions policy

1

Sign in to your AWS Management Console and open the IAM console (opens new window).

2

In the navigation pane, click Access management > Policies.

3

Click Create Policy.

4

On the Create policy page, complete these tasks:

  1. In the Service field, find and select Secrets Manager.

  2. In the Actions field, select the DescribeSecret and GetSecretValue permissions.

  3. In the Resources field, specify the secrets to which you want the role to have access.

BEST PRACTICE

Workato recommends that you grant access to specific secrets. Refer to Amazon's documentation (opens new window) for more info about using condition keys to accomplish granting minimal permissions.

The page should look similar to the following:

Configured IAM access policy in the AWS Create Policy screen

  1. Click Next until you reach the Review policy page.
5

Enter the Name for the policy.

6

When finished, click Create policy.

# Step 4.2: Configure the IAM role

1

In the navigation pane, click Access management > Roles.

2

On the Roles page, click Create role.

3

On the Step 1 - Select trusted entity page, complete the following tasks:

  1. For Trusted entity type, select AWS account.

  2. In the An AWS account section, select Another AWS account.

  3. In the Account ID field, paste the value from the Workato’s AWS Account ID field in Workato.

  4. In the Options section, check the Require external ID box.

  5. In the External ID field, paste the value from the External ID field in Workato. The page should look similar to this:

Select Trusted Entity Page in AWS Create Role

4

Click Next.

5

On the Step 2 - Add permissions page, select the policy you created in the previous step.

6

Click Next.

# Step 4.3: Create the Role

On the Step 3 - Name, review, and create page:

1

In the Role name field, enter a name for the role.

2

Review the role's configuration and make changes as needed.

3

When finished, click Create role.


# Step 5: Add the Role ARN in Workato

# Step 5.1: Retrieve the Role ARN in AWS

After the role has been successfully created, you'll need to retrieve its role ARN (opens new window) to complete the setup in Workato.

1

Navigate to the Access Management > Roles page.

2

Locate the role you created and click to open it.

3

On the role's details page, locate the Summary section and the ARN field:

Highlighted ARN field in the Summary section of the roles details page in AWS

4

Copy the ARN; you must have it to complete the next step.

# Step 5.2: Add the Role ARN in Workato

1

Navigate to the tab where your Workato account settings page is open. You may recall that it is in Project Settings > Secrets management.

2

Under Add the role to your Workato account, paste the ARN value in the Role ARN field.

Add Role ARN to Workato

3

Click Save changes.


# What's Next?

After your AWS Secrets Manager successfully connects to Workato, you can start using secrets when configuring connections.


Last updated: 3/17/2023, 4:33:56 AM