Establish a User to Access Secrets Manager

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Use the information in this topic to integrate your Alation instance with AWS Secrets Manager using IAM user credentials established as an access key and secret access key.

• Step 1: Create a Security Policy to Access Secrets Manager

• Step 2: Configure an IAM User

• Step 3: Create an Authentication Profile

Note

To see other options for integrating with AWS Secrets Manager, see Integration with AWS Secrets Manager for Data Source Authentication Using OCF Connector.

Step 1: Create a Security Policy to Access Secrets Manager

This step is performed in the AWS IAM console

For the AWS Secrets Manager integration, you’ll need an AWS IAM policy granting access to AWS Secrets Manager. Here and below, a substitute name read_secrets_policy is used to refer to this policy.

If you haven’t established a read_secrets_policy yet, create one:

1. Log in to the AWS IAM management console.

2. From the left-hand menu, under Access management, select Policies.

3. Click Create policy. The policy editor will open.

4. Under Select a service, type secrets in the search bar and select Secrets Manager. This will display actions relevant to the service.

5. Under Actions allowed, expand the Read list and select the checkbox for the action GetSecretValue.

6. Under Resources, select All.

   

   Note

   You can restrict the permissions by providing access to specific resources only:

   1. Instead of All, select Specific.

   2. Click Add ARNs to specify the resources by entering the resource’s region, ARN (Amazon Resource Name), and secret.

   You can adjust the resource permissions anytime by editing this policy.

7. Click Next. The Review and create screen will open.

8. Under Policy details, in the Policy name field, provide a meaningful name.

9. Review the details, and click Create policy to create the policy. It will be added to the list of policies under your AWS account. Your policy JSON will look similar to the following:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": "secretsmanager:GetSecretValue",
           "Resource": "*"
       }
     ]
   }
   

Step 2: Configure an IAM User

This step is performed in the AWS IAM console

To configure an IAM user:

1. In the AWS user interface, open the IAM console (IAM dashboard).

2. In the left menu, under Access Management, select Users.

3. Select the user for whom you want to create access keys, or create a dedicated user for Alation.

4. Ensure that the user has the read_secrets_policy policy. If not, attach the policy to the user.

5. Open the Security credentials tab of the user’s page and locate the Access keys section. Click Create access key in this section.

6. Create an access key ID and a secret access key. See Managing access keys for IAM users - AWS Identity and Access Management for more details.

7. Save the user’s access key and secret access key for future reference.

Step 3: Create an Authentication Profile

This step is performed in Alation

You’ll need:

• The access key and secret access key of the IAM user (Step 2: Configure an IAM User)

To create an authentication profile:

1. Log in to your Alation instance as a Server Admin.

2. Click the Admin Settings gear icon on top right to open the Admin Settings page.

3. Click Authentication to open the Authentication tab. Locate the section Authentication Configuration Methods for External Systems.

4. In 2024.1.4 and later, for Alation Cloud Service instances on the cloud-native architecture, find the See configurations for drop-down menu and ensure that Alation Cloud Service is selected.

5. Click Add Configuration, and then select AWS Secrets Manager as the method type. If you’re creating a configuration for an Alation Agent, the only option is AWS Secrets Manager. The Authentication Configuration Method page will open in a new browser tab.

6. In Config Name, enter a unique name for the configuration. Save it for future reference when configuring the data source.

7. Under Region, select the appropriate AWS region for the Secrets Manager service (the region under which your secrets are stored).

8. Under Authentication Type, select IAM User. The fields AWS Access Key and AWS Secret Key will appear.

   

   Note

   On versions older than 2024.1.1, select the value iam_user. Other values will be statically present on the page.

9. Under AWS Access Key, enter the AWS access key you created.

10. Under AWS Secret Key, enter the AWS secret access key associated with your access key.

11. Click Save. Alation attempts to create a connection, and if the connection is successful, the configuration is saved.

Now, you can use your integration with an OCF connector. See next: Configure Authentication with AWS Secrets Manager in Data Source Settings.