Add an AWS target secret store

This topic describes how to set up a target secret store that represent the target service, for example AWS Secrets Manager, that needs to receive secrets from PAM - Self-Hosted.

j8bkovotbu

Prerequisites

Prerequisite: When adding a target secret store, you need to provide the Secrets Hub IAM role. This role allows Secrets Hub to manage secrets in AWS Secrets Manager.

This role is created in your AWS account, usually by the AWS Account admin or anyone in the organization who has role creation permissions in the AWS account. For details, see Configure AWS account roles for Secrets Hub.

Add a target secret store

On the Secrets Hub introduction page, click Add a target secret store, and then, from the Select cloud provider dialog box, select AWS.

Define the target secret store and provide the following details:

Field	Description
AWS account ID (Mandatory)	The 12-digit account ID of the AWS account that has the AWS Secrets Manager where you store secrets
AWS account alias (Mandatory)	The alias of your AWS account
Region (Mandatory)	The region where the AWS account is managed. The region is added to the target secret store's name
Target secret store name (Mandatory)	Contains the AWS account alias and the account region
Secrets Hub IAM role (Mandatory)	The AWS role used to allow Secrets Hub to manage secrets in your AWS Secrets Manager. See Prerequisite above.
Description (Optional)	Brief description of the target For example, this can include the team in your organization that uses the target

Field

Description

AWS account ID

(Mandatory)

The 12-digit account ID of the AWS account that has the AWS Secrets Manager where you store secrets

AWS account alias

(Mandatory)

The alias of your AWS account

Region

(Mandatory)

The region where the AWS account is managed. The region is added to the target secret store's name

Target secret store name

(Mandatory)

Contains the AWS account alias and the account region

Secrets Hub IAM role

(Mandatory)

The AWS role used to allow Secrets Hub to manage secrets in your AWS Secrets Manager.

See Prerequisite above.

Description

(Optional)

Brief description of the target

For example, this can include the team in your organization that uses the target

(Optional) To validate the details provided above, click Test connection.

If Secrets Hub cannot connect to the target secret store, check that you have entered all the details correctly.
Do one of the following:
- Click Add to add the target secret store to the list of sync targets.
- Click Add and create sync policy to add the target secret store to the list of sync targets and open the Create sync policy wizard where you create a policy for syncing secrets between PAM - Self-Hosted and AWS Secrets Manager.

Create a sync policy

Manage AWS target secret stores