github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
b8c7eb0c18256f915283f15d0a6d3dca7f9adaf6
infisical/docs/documentation/platform/pki/certificate-syncs/aws-secrets-manager.mdx
Carlos Monastyrski b095a15f9a Address PR suggestions
2025-11-19 23:58:02 -03:00

248 lines
12 KiB
Plaintext
Raw Blame History

---
title: "AWS Secrets Manager"
description: "Learn how to configure an AWS Secrets Manager Certificate Sync for Infisical PKI."
---
**Prerequisites:**
- Create an [AWS Connection](/integrations/app-connections/aws)
- Ensure your network security policies allow incoming requests from Infisical to this certificate sync provider, if network restrictions apply.
<Note>
The AWS Secrets Manager Certificate Sync requires the following permissions to be set on the AWS IAM user
for Infisical to sync certificates to AWS Secrets Manager: `secretsmanager:CreateSecret`, `secretsmanager:UpdateSecret`,
`secretsmanager:GetSecretValue`, `secretsmanager:DeleteSecret`, `secretsmanager:ListSecrets`.
Any role with these permissions would work such as a custom policy with **SecretsManager** permissions.
</Note>
<Note>
Certificates synced to AWS Secrets Manager will be stored as JSON secrets,
preserving both the certificate and private key components as separate fields within the secret value.
</Note>
<Tabs>
<Tab title="Infisical UI">
1. Navigate to **Project** > **Integrations** > **Certificate Syncs** and press **Add Sync**.
![Certificate Syncs Tab](/images/platform/pki/certificate-syncs/general/create-certificate-sync.png)
2. Select the **AWS Secrets Manager** option.
![Select AWS Secrets Manager](/images/platform/pki/certificate-syncs/aws-secrets-manager/select-aws-secrets-manager-option.png)
3. Configure the **Destination** to where certificates should be deployed, then click **Next**.
![Configure Destination](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-destination.png)
- **AWS Connection**: The AWS Connection to authenticate with.
- **Region**: The AWS region where secrets will be stored.
4. Configure the **Sync Options** to specify how certificates should be synced, then click **Next**.
![Configure Options](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-options.png)
- **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
- **Preserve Secret on Renewal**: Only applies to certificate renewals. When a certificate is renewed in Infisical, this option controls how the renewed certificate is handled. If enabled, the renewed certificate will update the existing secret, preserving the same secret name. If disabled, the renewed certificate will be created as a new secret with a new name.
- **Certificate Name Schema** (Optional): Customize how secret names are generated in AWS Secrets Manager. Use `{{certificateId}}` as a placeholder for the certificate ID.
- **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
5. Configure the **Field Mappings** to customize how certificate data is stored in AWS Secrets Manager secrets, then click **Next**.
![Configure Field Mappings](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-field-mappings.png)
- **Certificate Field**: The field name where the certificate will be stored in the secret value (default: `certificate`)
- **Private Key Field**: The field name where the private key will be stored in the secret value (default: `private_key`)
- **Certificate Chain Field**: The field name where the full certificate chain excluding the root CA certificate will be stored (default: `certificate_chain`)
- **CA Certificate Field**: The field name where the root CA certificate will be stored (default: `ca_certificate`)
<Tip>
**AWS Secrets Manager Secret Structure**: Certificates are stored in AWS Secrets Manager as JSON secrets with the following structure (field names can be customized via field mappings):
```json
{
"certificate": "-----BEGIN CERTIFICATE-----\n...",
"private_key": "-----BEGIN PRIVATE KEY-----\n...",
"certificate_chain": "-----BEGIN CERTIFICATE-----\n...",
"ca_certificate": "-----BEGIN CERTIFICATE-----\n..."
}
```
**Example with Custom Field Mappings**:
```json
{
"ssl_cert": "-----BEGIN CERTIFICATE-----\n...",
"ssl_key": "-----BEGIN PRIVATE KEY-----\n...",
"ssl_chain": "-----BEGIN CERTIFICATE-----\n...",
"ssl_ca": "-----BEGIN CERTIFICATE-----\n..."
}
```
</Tip>
6. Configure the **Details** of your AWS Secrets Manager Certificate Sync, then click **Next**.
![Configure Details](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-details.png)
- **Name**: The name of your sync. Must be slug-friendly.
- **Description**: An optional description for your sync.
7. Select which certificates should be synced to AWS Secrets Manager.
![Select Certificates](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-certificates.png)
8. Review your AWS Secrets Manager Certificate Sync configuration, then click **Create Sync**.
![Confirm Configuration](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-review.png)
9. If enabled, your AWS Secrets Manager Certificate Sync will begin syncing your certificates to the destination endpoint.
![Sync Certificates](/images/platform/pki/certificate-syncs/aws-secrets-manager/aws-secrets-manager-synced.png)
</Tab>
<Tab title="API">
To create an **AWS Secrets Manager Certificate Sync**, make an API request to the [Create AWS Secrets Manager Certificate Sync](/api-reference/endpoints/pki/syncs/aws-secrets-manager/create) API endpoint.
### Sample request
<Note>
You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
If not provided, you can add certificates later using the certificate management endpoints.
</Note>
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/pki/syncs/aws-secrets-manager \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-secrets-manager-cert-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example certificate sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"certificateIds": [
"550e8400-e29b-41d4-a716-446655440000",
"660f1234-e29b-41d4-a716-446655440001"
],
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"certificateNameSchema": "myapp-{{certificateId}}",
"fieldMappings": {
"certificate": "ssl_cert",
"privateKey": "ssl_key",
"certificateChain": "ssl_chain",
"caCertificate": "ssl_ca"
}
},
"destinationConfig": {
"region": "us-east-1",
"keyId": "alias/my-kms-key"
}
}'
```
### Example with Default Field Mappings
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/pki/syncs/aws-secrets-manager \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-secrets-manager-cert-sync-default",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "AWS Secrets Manager sync with default field mappings",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"certificateNameSchema": "infisical-{{certificateId}}",
"fieldMappings": {
"certificate": "certificate",
"privateKey": "private_key",
"certificateChain": "certificate_chain",
"caCertificate": "ca_certificate"
}
},
"destinationConfig": {
"region": "us-west-2"
}
}'
```
### Sample response
```json Response
{
"pkiSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-aws-secrets-manager-cert-sync",
"description": "an example certificate sync",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"destinationConfig": {
"region": "us-east-1",
"keyId": "alias/my-kms-key"
},
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"certificateNameSchema": "myapp-{{certificateId}}",
"fieldMappings": {
"certificate": "ssl_cert",
"privateKey": "ssl_key",
"certificateChain": "ssl_chain",
"caCertificate": "ssl_ca"
}
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-01-01T00:00:00.000Z",
"updatedAt": "2023-01-01T00:00:00.000Z"
}
}
```
</Tab>
</Tabs>
## Certificate Management
Your AWS Secrets Manager Certificate Sync will:
- **Automatic Deployment**: Deploy certificates in Infisical to AWS Secrets Manager as JSON secrets with customizable field names
- **Certificate Updates**: Update certificates in AWS Secrets Manager when renewals occur
- **Expiration Handling**: Optionally remove expired certificates from AWS Secrets Manager (if enabled)
- **Format Preservation**: Maintain certificate format during sync operations
- **Field Customization**: Map certificate data to custom field names that match your application requirements
- **CA Certificate Support**: Include CA certificates in secrets for complete certificate chain management
- **KMS Encryption**: Optionally use custom KMS keys for secret encryption
- **Regional Deployment**: Deploy secrets to specific AWS regions
<Note>
AWS Secrets Manager Certificate Syncs support both automatic and manual
synchronization modes. When auto-sync is enabled, certificates are
automatically deployed as they are issued or renewed.
</Note>
## Manual Certificate Sync
You can manually trigger certificate synchronization to AWS Secrets Manager using the sync certificates functionality. This is useful for:
- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
To manually sync certificates, use the [Sync Certificates](/api-reference/endpoints/pki/syncs/aws-secrets-manager/sync-certificates) API endpoint or the manual sync option in the Infisical UI.
<Note>
AWS Secrets Manager does not support importing certificates back into Infisical
due to the nature of AWS Secrets Manager where certificates are stored as JSON secrets
rather than managed certificate objects.
</Note>
## Secret Naming Constraints
AWS Secrets Manager has specific naming requirements for secrets:
- **Allowed Characters**: Letters, numbers, hyphens (-), and underscores (_) only
- **Length**: 1-512 characters
Reference in New Issue View Git Blame Copy Permalink