CloudWatch pipelines extensions - Amazon CloudWatch
Amazon Secrets Manager extension
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CloudWatch pipelines extensions

CloudWatch pipelines extensions provide additional functionality to the pipeline. You can use the Amazon Secrets Manager integration for credential management.

Amazon Secrets Manager extension

Configures access to Amazon Secrets Manager for retrieving credentials and sensitive configuration values. This extension is only supported for third-party sources that require authentication credentials.

Configuration

Configure the Amazon Secrets Manager extension with the following parameters:

extension:
  aws:
    secrets:
      <secret-name>:
        secret_id: "<secret arn>"
        region: "<secret region>"
        sts_role_arn: "arn:aws:iam::123456789012:role/Example-Role"
        refresh_interval: PT1H
        disable_refresh: false
Parameters
aws.secrets.<secret-name>.secret_id (required)

The ARN of the Amazon Secrets Manager secret containing the credentials.

aws.secrets.<secret-name>.region (required)

The Amazon region where the secret is stored.

aws.secrets.<secret-name>.sts_role_arn (required)

The ARN of the IAM role to assume for accessing the Amazon Secrets Manager secret.

aws.secrets.<secret-name>.refresh_interval (optional)

How often to refresh the secret from Amazon Secrets Manager. Uses ISO 8601 duration format. Defaults to PT1H (1 hour).

aws.secrets.<secret-name>.disable_refresh (optional)

Whether to disable automatic secret refresh. Defaults to false.

Secret reference syntax

Reference secrets in your pipeline configuration using the following syntax:

${{aws_secrets:<secret-name>:<key>}}

For example, to reference a client ID and secret:

source:
  microsoft_office365:
    authentication:
      oauth2:
        client_id: "${{aws_secrets:office365-creds:client_id}}"
        client_secret: "${{aws_secrets:office365-creds:client_secret}}"

Requirements and limitations

Secret format

Secrets must be stored as JSON key-value pairs in Amazon Secrets Manager.

Cross-Region access

Secrets can be accessed from any Region where Amazon Secrets Manager is available.

Refresh interval limits

Minimum refresh interval is 5 minutes (PT5M). Maximum is 24 hours (PT24H).

Maximum secrets

A pipeline can reference up to 10 different secrets.

Important

Consider the following when using secrets:

  • Ensure the IAM role has appropriate permissions to access the secrets

  • Monitor secret access using Amazon CloudTrail

  • Use separate secrets for different environments (development, production)