# Setting up Secrets Management for Projects
As an alternative to an individual secret for each user, you can manage access at the level of the project.
You must change secrets manager settings so that connections in the project can use the specified role in the project settings. Customers can then create project-specific IAM roles to limit the use of secrets to connections within the project.
WARNING
Switching to project-specific secrets management causes all previously configured external secrets references to stop working. Projects that use secrets stored in AWS Secrets Manager must be set up individually in Project settings.
NOTE
In the example used in this article, we chose to demonstrate a simple example of configuring the AWS external role ID without changing the IAM permissions policy.
If your organization requires different roles scoped to different access permissions, we recommend that you configure these new permissions by setting the scope to specific secret resources. This enables you to have more granular control over which connection credentials to use in each project.
# Prerequisites
To complete the steps in this guide, you must have the following:
In Workato:
- An account with Advanced Security & Compliance advanced functionality. For more information, contact your Workato Customer Success Manager.
In Amazon Web Services (AWS):
- Permissions that allow you to create and modify IAM permissions policies
- Permissions that allow you to create and modify IAM roles
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
In Scope, select the option “Set up secrets management for each project individually”.
If you have previously set up Secrets Management at the Workspace level, Workato notifies you that All previously configured references to external secrets will stop working.
Remember that you must now set up secrets in each project individually.
Click Save changes.
If you are switching Secrets management scopes, Workato asks that you confirm switching from secrets management at workspace level, to project level.
Click Use project-specific secrets.
# Step 2: Select the project
In Workato, navigate to your projects.
Select the project that you plan to configure with secrets management.
In the project, navigate to Settings > Secrets management.
In the Which secrets manager do you want to use? field, select AWS secrets manager.
# Step 3: Select the AWS Account ID and external ID
In the Create a new permission policy and role in AWS guide detail, Workato displays the IAM details. Note them to use in the following steps:
- AWS Account ID
- Copy the AWS Account ID value, to use in ongoing configuration of the secrets manager.
- External ID for ProjectName
- Copy the value, to use in ongoing configuration of the secrets manager.
- Here, we configure access to the project WorkatoDB_Project1.
- The value should be of the form
workato_iam_external_id_
, wherewwwww _pppp
is the ID of the Workato workspace, andwwwww
is the ID of the project.pppp
Do not close this interface; you use it to complete Step 4.2: Add the role ARN in Workato.
# Step 4: Create an AWS IAM role for your Workato project
- Step 4.1: Create an IAM permissions policy
- Step 4.2: Configure the IAM role
- Step 4.3: Create the role
# Step 4.1: Create an IAM permissions policy
Sign in to your AWS Management Console and open the IAM console (opens new window).
In the navigation pane, click Access management > Policies.
Click Create Policy.
On the Create policy page, complete these tasks:
In the Service field, find and select
Secrets Manager
.In the Actions field, select the
DescribeSecret
andGetSecretValue
permissions.In the Resources field, specify the secrets to which you want the role to have access.
BEST PRACTICE
Workato recommends that you grant access to specific secrets. Refer to Amazon's documentation (opens new window) for more info about using condition keys to accomplish granting minimal permissions.
The page should look similar to the following:
- Click Next until you reach the Review policy page.
Enter the Name for the policy.
When finished, click Create policy.
# Step 4.2: Configure the IAM role
In the navigation pane, click Access management > Roles.
On the Roles page, click Create role.
On the Step 1 - Select trusted entity page, complete the following tasks:
For Trusted entity type, select AWS account.
In the An AWS account section, select Another AWS account.
In the Account ID field, paste the value from the Workato’s AWS Account ID field in Workato.
In the Options section, check the Require external ID box.
In the External ID field, paste the value from the External ID field in Workato. The page should look similar to this:
Click Next.
On the Step 2 - Add permissions page, select the policy you created in the previous step.
Click Next.
# Step 4.3: Create the Role
On the Step 3 - Name, review, and create page:
In the Role name field, enter a name for the role.
Review the role's configuration and make changes as needed.
When finished, click Create role.
# Step 5: Add the Role ARN in Workato
# Step 5.1: Retrieve the Role ARN in AWS
After the role has been successfully created, you'll need to retrieve its role ARN (opens new window) to complete the setup in Workato.
Navigate to the Access Management > Roles page.
Locate the role you created and click to open it.
On the role's details page, locate the Summary section and the ARN field:
Copy the ARN; you must have it to complete the next step.
# Step 5.2: Add the Role ARN in Workato
Navigate to the tab where your Workato account settings page is open. You may recall that it is in Project Settings > Secrets management.
Under Add the role to your Workato account, paste the ARN value in the Role ARN field.
Click Save changes.
# What's Next?
After your AWS Secrets Manager successfully connects to Workato, you can start using secrets when configuring connections.
Last updated: 3/17/2023, 4:33:56 AM