docs/documentation/platform/pki/certificate-syncs/aws-secrets-manager.mdx
Prerequisites:
Any role with these permissions would work such as a custom policy with SecretsManager permissions.
</Note> <Note> Certificates synced to AWS Secrets Manager will be stored as JSON secrets, preserving both the certificate and private key components as separate fields within the secret value. </Note> <Tabs> <Tab title="Infisical UI"> 1. Navigate to **Project** > **Integrations** > **Certificate Syncs** and press **Add Sync**.  2. Select the **AWS Secrets Manager** option.
3. Configure the **Destination** to where certificates should be deployed, then click **Next**.
- **AWS Connection**: The AWS Connection to authenticate with.
- **Region**: The AWS region where secrets will be stored.
4. Configure the **Sync Options** to specify how certificates should be synced, then click **Next**.
- **Enable Removal of Expired/Revoked Certificates**: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
- **Preserve Secret on Renewal**: Only applies to certificate renewals. When a certificate is renewed in Infisical, this option controls how the renewed certificate is handled. If enabled, the renewed certificate will update the existing secret, preserving the same secret name. If disabled, the renewed certificate will be created as a new secret with a new name.
- **Include Root CA**: If enabled, the Root CA certificate will be included in the certificate chain when syncing to AWS Secrets Manager. If disabled, only intermediate certificates will be included.
- **Certificate Name Schema** (Optional): Customize how secret names are generated in AWS Secrets Manager. Use `{{certificateId}}` as a placeholder for the certificate ID.
- **Auto-Sync Enabled**: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
5. Configure the **Field Mappings** to customize how certificate data is stored in AWS Secrets Manager secrets, then click **Next**.
- **Certificate Field**: The field name where the certificate will be stored in the secret value (default: `certificate`)
- **Private Key Field**: The field name where the private key will be stored in the secret value (default: `private_key`)
- **Certificate Chain Field**: The field name where the full certificate chain excluding the root CA certificate will be stored (default: `certificate_chain`)
- **CA Certificate Field**: The field name where the root CA certificate will be stored (default: `ca_certificate`)
<Tip>
**AWS Secrets Manager Secret Structure**: Certificates are stored in AWS Secrets Manager as JSON secrets with the following structure (field names can be customized via field mappings):
```json
{
"certificate": "-----BEGIN CERTIFICATE-----\n...",
"private_key": "-----BEGIN PRIVATE KEY-----\n...",
"certificate_chain": "-----BEGIN CERTIFICATE-----\n...",
"ca_certificate": "-----BEGIN CERTIFICATE-----\n..."
}
```
**Example with Custom Field Mappings**:
```json
{
"ssl_cert": "-----BEGIN CERTIFICATE-----\n...",
"ssl_key": "-----BEGIN PRIVATE KEY-----\n...",
"ssl_chain": "-----BEGIN CERTIFICATE-----\n...",
"ssl_ca": "-----BEGIN CERTIFICATE-----\n..."
}
```
</Tip>
6. Configure the **Details** of your AWS Secrets Manager Certificate Sync, then click **Next**.
- **Name**: The name of your sync. Must be slug-friendly.
- **Description**: An optional description for your sync.
7. Select which certificates should be synced to AWS Secrets Manager.
8. Review your AWS Secrets Manager Certificate Sync configuration, then click **Create Sync**.
9. If enabled, your AWS Secrets Manager Certificate Sync will begin syncing your certificates to the destination endpoint.
</Tab>
<Tab title="API">
To create an **AWS Secrets Manager Certificate Sync**, make an API request to the [Create AWS Secrets Manager Certificate Sync](/api-reference/endpoints/pki/syncs/aws-secrets-manager/create) API endpoint.
### Sample request
<Note>
You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
If not provided, you can add certificates later using the certificate management endpoints.
</Note>
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-secrets-manager \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-secrets-manager-cert-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example certificate sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"certificateIds": [
"550e8400-e29b-41d4-a716-446655440000",
"660f1234-e29b-41d4-a716-446655440001"
],
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}",
"fieldMappings": {
"certificate": "ssl_cert",
"privateKey": "ssl_key",
"certificateChain": "ssl_chain",
"caCertificate": "ssl_ca"
}
},
"destinationConfig": {
"region": "us-east-1",
"keyId": "alias/my-kms-key"
}
}'
```
### Example with Default Field Mappings
```bash Request
curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/aws-secrets-manager \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-aws-secrets-manager-cert-sync-default",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "AWS Secrets Manager sync with default field mappings",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"includeRootCa": false,
"certificateNameSchema": "infisical-{{certificateId}}",
"fieldMappings": {
"certificate": "certificate",
"privateKey": "private_key",
"certificateChain": "certificate_chain",
"caCertificate": "ca_certificate"
}
},
"destinationConfig": {
"region": "us-west-2"
}
}'
```
### Sample response
```json Response
{
"pkiSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-aws-secrets-manager-cert-sync",
"description": "an example certificate sync",
"destination": "aws-secrets-manager",
"isAutoSyncEnabled": true,
"destinationConfig": {
"region": "us-east-1",
"keyId": "alias/my-kms-key"
},
"syncOptions": {
"canRemoveCertificates": true,
"preserveSecretOnRenewal": true,
"canImportCertificates": false,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}",
"fieldMappings": {
"certificate": "ssl_cert",
"privateKey": "ssl_key",
"certificateChain": "ssl_chain",
"caCertificate": "ssl_ca"
}
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-01-01T00:00:00.000Z",
"updatedAt": "2023-01-01T00:00:00.000Z"
}
}
```
</Tab>
The AWS Secrets Manager Certificate Sync provides:
You can manually trigger certificate synchronization to AWS Secrets Manager using the sync certificates functionality. This is useful for:
To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.
AWS Secrets Manager has specific naming requirements for secrets: