Using Amazon Web Services Secrets Manager in connections

Video guide: Set up connections safely with AWS Secrets Manager

In this guide, we'll show you how to use secrets from your Amazon Web Services (AWS) Secrets Manager vault to configure Workato connections.

---

Prerequisites

To complete the steps in this guide, you'll need:

• The following in Workato:

  • An account with a successful AWS Secrets Manager workspace-level or AWS Secrets Manager project-level connection
  • A user role with Create and Edit Connections privileges

• In Amazon Web Services (AWS):

  • An existing secret. Refer to Amazon's documentation (opens new window) for info on creating a secret.
  • Permissions that allow you to view secrets in AWS Secrets Manager

---

Step 1: Retrieve the secret's details from AWS

1

Sign in to your AWS Management Console and open the Secrets Manager console (opens new window).

2

In the navigation pane, click Secrets.

3

Click the secret you plan to use in Workato.

4

In the Secret details section, locate the Secret name and Secret ARN:

Keep this page open - you'll need it to complete the next step.

---

Step 2: Configure a Workato connection

1

Create a new connection or open the configuration page for an existing connection in your Workato account.

2

Click the corresponding input field for connection parameters referencing an external secret. The Add external secret option appears.

3

Select Add external secret to open the Add external secret popup.

4

Enter the Key name and Secret ARN in the Add external secret popup.

Add external secret

5

Select Done. The secret appears as a masked datapill in the input field on the connection page.

Select the datapill to edit the secret.

6

Click Connect and verify that this connection works.

If you prefer to add the secret with a secret mask, follow this syntax for the secrets used in Workato connection credentials:

{{workato:sm:<key name>:<secret ARN>}}

• <key name>

• Refers to the specific key name within a secret, not the secret name itself. For example, in a secret named jira, there may be a key/value pair where prod.jira.secret.key is the key name, and its value is the actual personal access token.

• <secret ARN>

• The Amazon Resource Name (ARN) for the secret in AWS Secrets Manager. For example:

  {{workato:sm:prod.jira.secret.key:arn:aws:secretsmanager:us-east-1:137149879143:secret:prod-jira-credentials-FsmeTs}}
  

In this example, prod.jira.secret.key is the key name in a secret named jira, and arn:aws:secretsmanager:us-east-1:137149879143:secret:prod-jira-credentials-FsmeTs is the secret ARN.

In the connection's configuration page, paste this entire value into the appropriate field. The following image shows a secret being used as the Custom Service client secret value in a Jira connection:

Step 3: Complete your connection setup

Select Connect to authorize and complete your connection setup.