Add an AWS target secret store

This topic describes how to set up a target secret store that represent the target service, for example AWS Secrets Manager, that needs to receive secrets from PAM - Self-Hosted.


Prerequisite: When adding a target secret store, you need to provide the Secrets Hub IAM role. This role allows Secrets Hub to manage secrets in AWS Secrets Manager.

This role is created in your AWS account, usually by the AWS Account admin or anyone in the organization who has role creation permissions in the AWS account. For details, see Configure AWS account roles for Secrets Hub.

Add a target secret store

  1. On the Secrets Hub introduction page, click Add a target secret store, and then, from the Select cloud provider dialog box, select AWS.

  2. Define the target secret store and provide the following details:



    AWS account ID


    The 12-digit account ID of the AWS account that has the AWS Secrets Manager where you store secrets

    AWS account alias


    The alias of your AWS account



    The region where the AWS account is managed. The region is added to the target secret store's name

    Target secret store name


    Contains the AWS account alias and the account region

    Secrets Hub IAM role


    The AWS role used to allow Secrets Hub to manage secrets in your AWS Secrets Manager.

    See Prerequisite above.



    Brief description of the target

    For example, this can include the team in your organization that uses the target

  3. (Optional) To validate the details provided above, click Test connection.

    If Secrets Hub cannot connect to the target secret store, check that you have entered all the details correctly.

  4. Do one of the following:

    • Click Add to add the target secret store to the list of sync targets.

    • Click Add and create sync policy to add the target secret store to the list of sync targets and open the Create sync policy wizard where you create a policy for syncing secrets between PAM - Self-Hosted and AWS Secrets Manager.