> ## Documentation Index
> Fetch the complete documentation index at: https://www.qovery.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Secrets Manager

> Connect your Qovery cluster to AWS Secrets Manager using ESO

<Info>
  Available on **AWS Managed Clusters**. You can also access AWS Secrets Manager from a GCP Managed Cluster using cross-cloud static credentials.
</Info>

## From an AWS Managed Cluster

Choose the authentication method that best fits your security requirements:

<Tabs>
  <Tab title="AWS Automatic Authentication">
    <Info>
      This authentication gives you access to **all secrets** located in the same AWS account as your cluster.
    </Info>

    <Info>
      AWS Automatic & AWS Role authentications are mutually exclusive.
    </Info>

    This is the simplest and quickest way to use your external secrets inside your services.

    The following information is required:

    * The target AWS Region where your secrets live
    * The secret manager access name

    <Frame>
      <img src="https://mintcdn.com/qovery/6fdDvhSOOcJ9uNJR/images/configuration/secret-manager-access/sma-automatic-aws-secret-manager.png?fit=max&auto=format&n=6fdDvhSOOcJ9uNJR&q=85&s=460e55a74104bfac6f0de17ac0cd3864" alt="Configure AWS Automatic authentication" width="3420" height="2142" data-path="images/configuration/secret-manager-access/sma-automatic-aws-secret-manager.png" />
    </Frame>

    Qovery automatically creates an AWS IAM Role with the following permissions:

    <AccordionGroup>
      <Accordion title="IAM permissions details for AWS Secrets Manager">
        ```
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:ListSecrets"
              ],
              "Resource": "*"
            }
          ]
        }
        ```
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="AWS Role ARN">
    <Info>
      You must create the AWS Role in the same AWS account as your cluster.
    </Info>

    <Info>
      AWS Automatic & AWS Role authentications are mutually exclusive.
    </Info>

    Creating your own AWS Role lets you control which secrets are accessible.

    The following information is required:

    * The target AWS Region where your secrets live
    * Your AWS Role ARN
    * The secret manager access name

    <Frame>
      <img src="https://mintcdn.com/qovery/6fdDvhSOOcJ9uNJR/images/configuration/secret-manager-access/sma-arn-role-details.png?fit=max&auto=format&n=6fdDvhSOOcJ9uNJR&q=85&s=b2c7bf493111d0e4350c3c8bd5540528" alt="Configure AWS ARN Role authentication" width="3420" height="2145" data-path="images/configuration/secret-manager-access/sma-arn-role-details.png" />
    </Frame>

    #### Use our CloudFormation stack to create the AWS Role

    Use our CloudFormation stack to create the AWS Role with the necessary permissions.

    <Frame>
      <img src="https://mintcdn.com/qovery/6fdDvhSOOcJ9uNJR/images/configuration/secret-manager-access/sma-arn-role-aws-secret-manager.png?fit=max&auto=format&n=6fdDvhSOOcJ9uNJR&q=85&s=fe4f451c23c108d285377fb65c50dea2" alt="Configure AWS ARN Role authentication" width="3420" height="2145" data-path="images/configuration/secret-manager-access/sma-arn-role-aws-secret-manager.png" />
    </Frame>

    **Setup Steps**:

    1. **Open CloudFormation**: click on the link "Cloudformation stack"
       * This opens AWS CloudFormation in a new tab (login to AWS if needed)

    2. **In AWS CloudFormation Console**:
       * Click **Next** (template is pre-filled with Qovery's requirements)
       * Stack name: Keep default `qovery-secrets-manager-role-creation` or customize
       * **Parameters**:
         * **OIDCProviderURL**: this is your cluster OIDC Provider URL automatically filled, no need to edit it
         * **RoleName**: this is the name of the IAM Role that will be created, keep default or customize
       * ✅ **Important**: Check **"I acknowledge that AWS CloudFormation might create IAM resources"**
       * Click **Create stack**

    3. **Wait for completion** (\~1 minute):
       * Status changes: `CREATE_IN_PROGRESS` → `CREATE_COMPLETE`
       * Refresh page if needed

    4. **Get the Role ARN**:
       * Click on the **Outputs** tab
       * Find **RoleARN** key
       * Copy the value

    You can edit the permissions attached to the created role to restrict access to your secrets as you wish (see below):

    <AccordionGroup>
      <Accordion title="IAM permissions for AWS Secrets Manager">
        ```
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:ListSecrets"
              ],
              "Resource": "*"
            }
          ]
        }
        ```

        <Warning>
          You can restrict access to specific resources using wildcards.

          However, `secretsmanager:ListSecrets` must always target `Resource: "*"` — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available secrets when configuring an external secret.

          Example:

          ```
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "secretsmanager:GetResourcePolicy",
                  "secretsmanager:GetSecretValue",
                  "secretsmanager:DescribeSecret",
                  "secretsmanager:ListSecretVersionIds"
                ],
                "Resource": "arn:aws:secretsmanager:eu-west-3:XXXXXXXXXXXX:secret:staging*"
              },
              {
                "Effect": "Allow",
                "Action": [
                  "secretsmanager:ListSecrets"
                ],
                "Resource": "*"
              }
            ]
          }
          ```
        </Warning>
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="AWS Static Credentials">
    The following information is required:

    * Your AWS Access Key
    * Your AWS Secret Access Key
    * The target AWS Region where your secrets live
    * The secret manager access name

    You need to configure the following permissions:

    <AccordionGroup>
      <Accordion title="IAM permissions for AWS Secrets Manager">
        ```
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:ListSecrets"
              ],
              "Resource": "*"
            }
          ]
        }
        ```

        <Warning>
          You can restrict access to specific resources using wildcards.

          However, `secretsmanager:ListSecrets` must always target `Resource: "*"` — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available secrets when configuring an external secret.

          Example:

          ```
          {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "secretsmanager:GetResourcePolicy",
                  "secretsmanager:GetSecretValue",
                  "secretsmanager:DescribeSecret",
                  "secretsmanager:ListSecretVersionIds"
                ],
                "Resource": "arn:aws:secretsmanager:eu-west-3:XXXXXXXXXXXX:secret:staging*"
              },
              {
                "Effect": "Allow",
                "Action": [
                  "secretsmanager:ListSecrets"
                ],
                "Resource": "*"
              }
            ]
          }
          ```
        </Warning>
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

## From a GCP Managed Cluster (cross-cloud)

You can access AWS Secrets Manager from a GCP cluster using static credentials.

The following information is required:

* Your AWS Access Key
* Your AWS Secret Access Key
* The target AWS Region where your secrets live
* The secret manager access name

You need to configure the following permissions:

<AccordionGroup>
  <Accordion title="IAM permissions for AWS Secrets Manager">
    ```
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "secretsmanager:GetResourcePolicy",
            "secretsmanager:GetSecretValue",
            "secretsmanager:DescribeSecret",
            "secretsmanager:ListSecretVersionIds",
            "secretsmanager:ListSecrets"
          ],
          "Resource": "*"
        }
      ]
    }
    ```

    <Warning>
      You can restrict access to specific resources using wildcards.

      However, `secretsmanager:ListSecrets` must always target `Resource: "*"` — AWS does not support resource-level restrictions for this action. Without it, Qovery cannot list available secrets when configuring an external secret.

      Example:

      ```
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:GetResourcePolicy",
              "secretsmanager:GetSecretValue",
              "secretsmanager:DescribeSecret",
              "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:eu-west-3:XXXXXXXXXXXX:secret:staging*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:ListSecrets"
            ],
            "Resource": "*"
          }
        ]
      }
      ```
    </Warning>
  </Accordion>
</AccordionGroup>

***

[← Back to Secret Manager Integration overview](/configuration/integrations/secret-managers/secret-manager-access#reference-the-external-secrets-in-your-service)