Prerequisites
Prerequisites
- An Enkryptify workspace with admin access
- An AWS account with permissions to create IAM roles and policies
Permissions
Permissions
Enkryptify connects to your AWS account by assuming an IAM Role that you create. We use temporary credentials from
sts:AssumeRole to manage secrets in AWS Secrets Manager.- Trust relationship:
- Trusted entity: AWS Account
676206939822(Enkryptify) - External ID: not required (will be added in a future update)
- Trusted entity: AWS Account
- Required permissions on the assumed role (inline policy example below):
secretsmanager:GetSecretValuesecretsmanager:DescribeSecretsecretsmanager:PutSecretValuesecretsmanager:CreateSecretsecretsmanager:DeleteSecretsecretsmanager:TagResourcesecretsmanager:UpdateSecret
You may scope theResourceto specific secret ARNs. The example uses*for simplicity.
Steps to complete
1
Create a new sync
-
Go to the
Syncstab of your project and click onAWS Secrets Manager.
2
Authenticate via AWS Role Assumption
- In Enkryptify, you will be asked for the IAM Role ARN that Enkryptify should assume.
- In AWS, create or select a role for Enkryptify to assume:
- Go to the IAM Roles page and create a role with trusted entity type
AWS Account→Another AWS Account. - Enter Account ID
676206939822. - Do not require an external ID (to be added in a future update).
- Add the following inline policy to allow Secrets Manager access:
- Go to the IAM Roles page and create a role with trusted entity type
- Copy the Role ARN and paste it into Enkryptify to complete authentication.
-
Select the AWS region you want to sync secrets to.
3
Link an Enkryptify environment
-
Choose which Enkryptify environment to sync.