# Storing connection credentials in Amazon Secrets Manager
<a name="connection-properties-secrets-manager"></a>

We recommend that you use Amazon Secrets Manager to supply connection credentials for your data store. Using Secrets Manager this way lets Amazon Glue access your secret at runtime for ETL jobs and crawler runs, and helps keep your credentials secure.

**Prerequisites**

To use Secrets Manager with Amazon Glue, you must grant your [IAM role for Amazon Glue](create-an-iam-role.md) permission to retrieve secret values. The Amazon managed policy `AWSGlueServiceRole` doesn't include Amazon Secrets Manager permissions. For example IAM policies, see [Example: Permission to retrieve secret values](https://docs.amazonaws.cn/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_examples_read) in the *Amazon Secrets Manager* *User Guide.*

Depending on your network setup, you might also need to create a VPC endpoint to establish a private connection between your VPC and Secrets Manager. For more information, see [Using an Amazon Secrets Manager VPC endpoint](https://docs.amazonaws.cn/secretsmanager/latest/userguide/vpc-endpoint-overview.html).

**To create a secret for Amazon Glue**

1. Follow the instructions in [Create and manage secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/managing-secrets.html) in the *Amazon Secrets Manager User Guide*. The following example JSON shows how to specify your credentials in the **Plaintext** tab when you create a secret for Amazon Glue. 

   ```
   {
     "username": "EXAMPLE-USERNAME",
     "password": "EXAMPLE-PASSWORD"
   }
   ```

1. Associate your secret with a connection using the Amazon Glue Studio interface. For detailed instructions, see [Creating connections for connectors](https://docs.amazonaws.cn/glue/latest/ug/connectors-chapter.html#creating-connections) in the *Amazon Glue Studio User Guide.*