Setting up Secrets Management for Projects

As an alternative to an individual secret for each user, you can manage access at the level of the project.

You must change secrets manager settings so that connections in the project can use the specified role in the project settings. Customers can then create project-specific IAM roles to limit the use of secrets to connections within the project.

WARNING

Switching to project-specific secrets management causes all previously configured external secrets references to stop working. Projects that use secrets stored in AWS Secrets Manager must be set up individually in Project settings.

NOTE

In the example used in this article, we chose to demonstrate a simple example of configuring the AWS external role ID without changing the IAM permissions policy.

If your organization requires different roles scoped to different access permissions, we recommend that you configure these new permissions by setting the scope to specific secret resources. This enables you to have more granular control over which connection credentials to use in each project.

After your AWS Secrets Manager successfully connects to Workato, you can start using secrets when configuring connections.

---

Prerequisites

To complete the steps in this guide, you must have the following:

• In Workato:

  • An account with the Data Monitoring/Advanced Security & Compliance add-on. For more information, contact your Workato Customer Success Manager.

• In Amazon Web Services (AWS):

  • Permissions that allow you to create and modify IAM permissions policies
  • Permissions that allow you to create and modify IAM roles

---

Step 1: Select the scope for secrets management

1

Sign in to your Workato account.

2

Navigate to Settings > Secrets management.

3

Select Scope option: Set up secrets management for each project individually.

If you have previously set up Secrets Management at the Workspace level, Workato notifies you that All previously configured references to external secrets will stop working.

Remember that you must now set up secrets in each project individually.

4

Click Save changes.

5

If you are switching Secrets management scopes, confirm that you are switching from secrets management at workspace level to project level when prompted.

Remember that you must now set up secrets in each project individually.

6

Click Use project-specific secrets.

Step 2: Select the project

1

Log in to Workato and navigate to your projects.

2

Select the project that you plan to configure with secrets management.

3

Navigate to Settings > Secrets management.

4

Select AWS secrets manager in the Which secrets manager do you want to use? field.

5

Choose a guide for next steps in the process:

• Create a new permission policy and role in AWS
• Add the role to your Workato account

Step 3: Select the AWS Account ID and external ID

1

In the Create a new permission policy and role in AWS guide detail, Workato displays the IAM details. Note them to use in the following steps:

AWS Account ID

Copy the AWS Account ID value, to use in ongoing configuration of the secrets manager.

External ID for ProjectName

Copy the value, to use in ongoing configuration of the secrets manager.

Here, we configure access to the project WorkatoDB_Project1.

The value should be of the form workato_iam_external_id_wwwww_pppp, where wwwww is the ID of the Workato workspace, and pppp is the ID of the project.

---

Step 4: Create an AWS IAM role for your Workato project

Refer to the IAM role-based authentication for AWS for instructions on how to create an IAM role for Workato and an IAM permissions policy (if needed).

Step 5: Retrieve and add the role ARN in Workato

You must complete the following steps to finalize the setup:

• Step 5.1: Retrieve the role ARN in AWS
• Step 5.2: Add the role ARN in Workato