# Configure data source authentication for SiteWise Edge
If your OPC UA server requires authentication credentials to connect, you can use Amazon Secrets Manager to create and deploy a secret to your SiteWise Edge gateway. Amazon Secrets Manager encrypts secrets on the device to keep your user name and password secure until you need to use them. For more information about the Amazon IoT Greengrass secret manager component, see [Secret manager](https://docs.amazonaws.cn/greengrass/v2/developerguide/secret-manager-component.html) in the *Amazon IoT Greengrass Version 2 Developer Guide*.
For information about managing access to Secrets Manager secrets, see:
+ [ Who has permissions to your Amazon Secrets Manager secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html).
+ [ Determining if a request is allowed or denied within an account](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow).
## Step 1: Create source authentication secrets
You can use Amazon Secrets Manager to create an authentication secret for your data source. In the secret, define **username** and **password** key-value pairs that contain authentication details for your data source.
**To create a secret (console)**
1. Navigate to the [Amazon Secrets Manager console](https://console.amazonaws.cn/secretsmanager/).
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Other type of secrets**.
1. Under **Key/value pairs**, do the following:
1. In the first input box, enter **username** and in the second input box enter the username.
1. Choose **Add row**.
1. In the first input box, enter **password** and in the second input box enter the password.
1. For **Encryption key**, select **aws/secretsmanager**, and then choose **Next**.
1. On the **Store a new secret** page, enter a **Secret name**.
1. (Optional) Enter a **Description** that helps you identify this secret, and then choose **Next**.
1. (Optional) On the **Store a new secret** page, turn on **Automatic rotation**. For more information, see [Rotate secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotating-secrets.html) in the *Amazon Secrets Manager User Guide*.
1. Specify a rotation schedule.
1. Choose a Lambda function that can rotate this secret, and then choose **Next**.
1. Review your secret configurations, and then choose **Store**.
To authorize your SiteWise Edge gateway to interact with Amazon Secrets Manager, the IAM role for your SiteWise Edge gateway must allow the `secretsmanager:GetSecretValue` action. You can use the **Greengrass core device** to search for the IAM policy. For more information about updating an IAM policy, see [Editing IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *Amazon Identity and Access Management User Guide*.
**Example policy**
Replace *secret-arn* with the Amazon Resource Name (ARN) of the secret that you created in the previous step. For more information about how to get the ARN of a secret, see [Find secrets in Amazon Secrets Manager](https://docs.amazonaws.cn/secretsmanager/latest/userguide/manage_search-secret.html) in the *Amazon Secrets Manager User Guide*.
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"secretsmanager:GetSecretValue"
],
"Effect":"Allow",
"Resource":[
"arn:aws-cn:secretsmanager:us-east-1:123456789012:secret/*"
]
}
]
}
```
## Step 2: Deploy secrets to your SiteWise Edge gateway device
You can use the Amazon IoT SiteWise console to deploy secrets to your SiteWise Edge gateway.
**To deploy a secret (console)**
1. Navigate to the [Amazon IoT SiteWise console](https://console.amazonaws.cn/iotsitewise/).
1. In the navigation pane, choose **Gateways**.
1. From the **Gateways** list, choose the target SiteWise Edge gateway.
1. In the **Gateway configuration** section, choose the **Greengrass core device** link to open the Amazon IoT Greengrass core associated with the SiteWise Edge gateway.
1. In the navigation pane, choose **Deployments**.
1. Choose the target deployment, and then choose **Revise**.
1. On the **Specify target** page, choose **Next**.
1. On the **Select components** page, in the **Public components** section, turn off **Show only selected components**.
1. Search for and choose the **aws.greengrass.SecretManager** component, and then choose **Next**.
1. From the **Selected components** list, choose the **aws.greengrass.SecretManager** component, and then choose **Configure component**.
1. In the **Configuration to merge** field, add the following JSON object.
**Note**
Replace *secret-arn* with the ARN of the secret that you created in the previous step. For more information about how to get the ARN of a secret, see [Find secrets in Amazon Secrets Manager](https://docs.amazonaws.cn/secretsmanager/latest/userguide/manage_search-secret.html) in the *Amazon Secrets Manager User Guide*.
```
{
"cloudSecrets":[
{
"arn":"secret-arn"
}
]
}
```
1. Choose **Confirm**.
1. Choose **Next**.
1. On the **Configure advanced settings** page, choose **Next**.
1. Review your deployment configurations, and then choose **Deploy**.
## Step 3: Add authentication configurations
You can use the Amazon IoT SiteWise console to add authentication configurations to your SiteWise Edge gateway.
**To add authentication configurations (console)**
1. Navigate to the [Amazon IoT SiteWise console](https://console.amazonaws.cn/iotsitewise/).
1. From the **Gateways** list, choose the target SiteWise Edge gateway.
1. From the **Data sources** list, choose the target data source, and then choose **Edit**.
1. On the **Add a data source** page, choose **Advanced configuration**.
1. For **Authentication configuration**, choose the secret that you deployed in the previous step.
1. Choose **Save**.