HashiCorp Cloud Platform
Integrate with AWS Secrets Manager
HCP Vault Secrets allows users to automatically synchronize application secrets to AWS Secrets Manager. This guide walks you through the configuration process.
Prerequisites:
- Ability to create AWS IAM roles
- Ability to create AWS IAM policies
- An Admin role in an HCP Project
- An HCP Vault Secrets application and secret(s)
Configuration
Navigate to the HCP Vault Secrets app you would like to integrate with your AWS account. From the sidebar, select Integrations then click on the AWS Secrets Manager card to initiate the setup.
If this is your first time configuring an AWS integration, you will be presented with four fields:
- Destination Name is the unique identifier and display name for this integration. It cannot be changed.
- External ID is a unique auto-generated value used in your AWS account to securely delegate access to HCP Vault Secrets. It will be needed when configuring your AWS IAM role.
- Role ARN is a AWS IAM role identifier that HCP Vault Secrets will assume in your AWS account. Instructions to provision this role can be found below.
- Region is the AWS region where your app secrets will be stored.
Once all fields are populated, click Save and sync secrets to complete the configuration process. It will immediately sync all your existing app secrets into your AWS Secrets Manager.
Going forward, all modification to the app's secrets are automatically replicated in your AWS account almost instantly.
Create IAM Role
The following sections provide step-by-step guidance to configure the AWS IAM role in your AWS account that HCP Vault Secrets will assume using the AWS console or HashiCorp Terraform.
Navigate to the Create New Policy section in the AWS IAM service
Select the JSON tab
Paste the following into the permissions policy editor:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "HCPVaultSecretsAccess", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage", "secretsmanager:DeleteSecret", "secretsmanager:RestoreSecret", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": "*" } ] }
Optionally provide tags
Name your policy
Click Create Policy
Navigate to the Create New Role section in the AWS IAM service
Select Custom trust policy option
Paste the following into the trust policy editor:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::879554817125:role/HCPVaultSecrets_Sync" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<AWS_EXTERNAL_ID>" } } } ] }
Populate the
<AWS_EXTERNAL_ID>
value with the AWS External ID of your HCP project.Note
Your External ID can be found by navigating to the AWS sync integration page in HCP.Attach the Policy that was created in the previous step
Name your role
Click Create Role
View the Role you created and copy its ARN
You now have everything you need to complete the configuration process!