Available on AWS Managed Clusters . You can also access AWS Parameter Store from a GCP Managed Cluster using cross-cloud static credentials.
From an AWS Managed Cluster Choose the authentication method that best fits your security requirements:
This authentication gives you access to all parameters located in the same AWS account as your cluster.
AWS Automatic & AWS Role authentications are mutually exclusive.
This is the simplest and quickest way to use your external secrets inside your services. The following information is required:
The target AWS Region where your parameters live
The secret manager access name
Qovery automatically creates an AWS IAM Role with the following permissions:
IAM permissions details for AWS Parameter Store
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:DescribeParameters" ], "Resource": "*" } ] }
You must create the AWS Role in the same AWS account as your cluster.
AWS Automatic & AWS Role authentications are mutually exclusive.
Creating your own AWS Role lets you control which parameters are accessible. The following information is required:
The target AWS Region where your parameters live
Your AWS Role ARN
The secret manager access name
Use our CloudFormation stack to create the AWS Role with the necessary permissions. Setup Steps :
Open CloudFormation : click on the link “Cloudformation stack”
This opens AWS CloudFormation in a new tab (login to AWS if needed)
In AWS CloudFormation Console :
Click Next (template is pre-filled with Qovery’s requirements)
Stack name: Keep default qovery-secrets-manager-role-creation or customize
Parameters :
OIDCProviderURL : this is your cluster OIDC Provider URL automatically filled, no need to edit itRoleName : this is the name of the IAM Role that will be created, keep default or customize
✅ Important : Check “I acknowledge that AWS CloudFormation might create IAM resources”
Click Create stack
Wait for completion (~1 minute):
Status changes: CREATE_IN_PROGRESS → CREATE_COMPLETE
Refresh page if needed
Get the Role ARN :
Click on the Outputs tab
Find RoleARN key
Copy the value
You can edit the permissions attached to the created role to restrict access to your parameters as you wish (see below):
IAM permissions for AWS Parameter Store
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:DescribeParameters" ], "Resource": "*" } ] }
You can restrict access to specific resources using wildcards. However, ssm:DescribeParameters must always target Resource: "*" — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available parameters when configuring an external secret. Example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:eu-west-3:XXXXXXXXXXXX:parameter/staging*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" } ] }
The following information is required:
Your AWS Access Key
Your AWS Secret Access Key
The target AWS Region where your parameters live
The secret manager access name
You need to configure the following permissions:
IAM permissions for AWS Parameter Store
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:DescribeParameters" ], "Resource": "*" } ] }
You can restrict access to specific resources using wildcards. However, ssm:DescribeParameters must always target Resource: "*" — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available parameters when configuring an external secret. Example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:eu-west-3:XXXXXXXXXXXX:parameter/staging*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" } ] }
From a GCP Managed Cluster (cross-cloud) You can access AWS Parameter Store from a GCP cluster using static credentials.
The following information is required:
Your AWS Access Key
Your AWS Secret Access Key
The target AWS Region where your parameters live
The secret manager access name
You need to configure the following permissions:
IAM permissions for AWS Parameter Store
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "ssm:DescribeParameters" ], "Resource": "*" } ] }
You can restrict access to specific resources using wildcards. However, ssm:DescribeParameters must always target Resource: "*" — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available parameters when configuring an external secret. Example: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:eu-west-3:XXXXXXXXXXXX:parameter/staging*" }, { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" } ] }
← Back to Secret Manager Integration overview 
