AWS Secrets Manager¶
Virtual DataPort provides support to obtain credentials from the AWS Secrets Manager using two types of modes:
Default Credential Provider. Connects with the Credentials Vault using the AWS default credential provider chain. No credentials are required by configuration.
Access Keys. Connects with the Credentials Vault using CyberArk using AWS access keys.
Default Credential Provider¶
This mode relies on AWS SDK the authentication following the AWS default credential provider chain.
No credentials are required by Virtual DataPort. Select Default Credential Provider as authentication.

Access Keys¶
This mode requires AWS Keys for authenticating with the Credentials Vault.
Select Access Keys as authentication.

You have to provide the following data:
AWS access key id: this is the access key of the user.
AWS secret access key: this is the secret access key of the user.
AWS region: this is region where the secrets are defined.
Naming Convention for AWS Secrets Manager Secrets¶
AWS Secrets Manager supports creating Other type of secrets specifying the field names used for storing the information. For this type of secrets, Virtual DataPort expects the secrets to be created with these naming conventions:
User names: it is expected at a field named
username
.Passwords: it is expected at a field named
password
.AWS access keys: it is expected at a field named
access_key
.AWS secret keys: it is expected at a field named
secret_key
.
For example, a secret with user/password credentials.
{
"username": "my-user",
"password": "my-password"
}
and a secret with AWS credentials.
{
"access_key": "my-access-key",
"secret_key": "my-secret-key"
}
Required Policies¶
Virtual DataPort accesses directly to AWS Secrets Manager when the specified secret follows the Amazon Resource Name (ARN) syntax.
In another case, the access is done through AWS Systems Manager Parameter Store. So, policies attached to the AWS user used must grant, at least, READ
access to both systems.
For example, the following two policies can be attached:
Default AWS policy
AmazonSSMReadOnlyAccess
.A custom policy granting only read access to AWS Secrets Manager:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"*"
]
}
]
}
Note that there are a default AWS policy allowing READ/WRITE
to Secrets Manager which it is also valid: SecretsManagerReadWrite
.