AWS Secrets Manager - Infisical

Store certificates in AWS Secrets Manager as JSON secrets for application retrieval. Certificates are stored with customizable field names for the certificate, private key, and chain.

<Info> Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Secrets Manager destination. </Info>

Prerequisites

An AWS Connection with the following permissions:
- secretsmanager:CreateSecret
- secretsmanager:UpdateSecret
- secretsmanager:GetSecretValue
- secretsmanager:DeleteSecret
- secretsmanager:ListSecrets

<Note> Certificates are stored as JSON secrets with configurable field names for certificate, private key, and chain. </Note>

Create a Secrets Manager Sync

<Tabs> <Tab title="Infisical UI"> 1. In your Application, go to the **Certificate Syncs** tab and click **Create Sync**.

    2. Select the **AWS Secrets Manager** option.

    3. Configure the **Destination**:
        - **AWS Connection**: The AWS Connection to authenticate with.
        - **Region**: The AWS region where secrets will be stored.

    4. Configure the **Sync Options**:
        - **Enable Removal of Expired/Revoked Certificates**: Remove certificates from the destination if they are no longer active.
        - **Preserve Secret on Renewal**: Update the existing secret on renewal instead of creating a new one.
        - **Include Root CA**: Include the Root CA certificate in the chain.
        - **Certificate Name Schema**: Customize secret names using `{{certificateId}}` placeholder.
        - **Auto-Sync Enabled**: Automatically sync certificates when changes occur.

    5. Configure the **Field Mappings** to customize how certificate data is stored:
        - **Certificate Field**: Field name for the certificate (default: `certificate`)
        - **Private Key Field**: Field name for the private key (default: `private_key`)
        - **Certificate Chain Field**: Field name for the chain (default: `certificate_chain`)
        - **CA Certificate Field**: Field name for the root CA (default: `ca_certificate`)

    <Tip>
        Certificates are stored as JSON secrets:
        ```json
        {
          "certificate": "-----BEGIN CERTIFICATE-----\n...",
          "private_key": "-----BEGIN PRIVATE KEY-----\n...",
          "certificate_chain": "-----BEGIN CERTIFICATE-----\n...",
          "ca_certificate": "-----BEGIN CERTIFICATE-----\n..."
        }
        ```
    </Tip>

    6. Configure the **Details**:
        - **Name**: The name of your sync (slug-friendly).
        - **Description**: Optional description.

    7. Select which certificates should be synced.

    8. Review and click **Create Sync**.
</Tab>
<Tab title="API">
    To create an **AWS Secrets Manager Certificate Sync**, make an API request to the [Create AWS Secrets Manager Certificate Sync](/api-reference/endpoints/pki/syncs/aws-secrets-manager/create) API endpoint.

    ### Sample request

    <Note>
      You can optionally specify `certificateIds` during sync creation to immediately add certificates to the sync.
      If not provided, you can add certificates later using the certificate management endpoints.
    </Note>

    ```bash Request
    curl --request POST \
    --url https://app.infisical.com/api/v1/cert-manager/syncs/aws-secrets-manager \
    --header 'Authorization: Bearer <access-token>' \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-aws-secrets-manager-cert-sync",
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "an example certificate sync",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "destination": "aws-secrets-manager",
        "isAutoSyncEnabled": true,
        "certificateIds": [
            "550e8400-e29b-41d4-a716-446655440000",
            "660f1234-e29b-41d4-a716-446655440001"
        ],
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveSecretOnRenewal": true,
            "canImportCertificates": false,
            "includeRootCa": false,
            "certificateNameSchema": "myapp-{{certificateId}}",
            "fieldMappings": {
                "certificate": "ssl_cert",
                "privateKey": "ssl_key",
                "certificateChain": "ssl_chain",
                "caCertificate": "ssl_ca"
            }
        },
        "destinationConfig": {
            "region": "us-east-1",
            "keyId": "alias/my-kms-key"
        }
    }'
    ```

    ### Example with Default Field Mappings

    ```bash Request
    curl --request POST \
    --url https://app.infisical.com/api/v1/cert-manager/syncs/aws-secrets-manager \
    --header 'Authorization: Bearer <access-token>' \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-aws-secrets-manager-cert-sync-default",
        "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "description": "AWS Secrets Manager sync with default field mappings",
        "connectionId": "550e8400-e29b-41d4-a716-446655440000",
        "destination": "aws-secrets-manager",
        "isAutoSyncEnabled": true,
        "syncOptions": {
            "canRemoveCertificates": true,
            "preserveSecretOnRenewal": true,
            "canImportCertificates": false,
            "includeRootCa": false,
            "certificateNameSchema": "infisical-{{certificateId}}",
            "fieldMappings": {
                "certificate": "certificate",
                "privateKey": "private_key",
                "certificateChain": "certificate_chain",
                "caCertificate": "ca_certificate"
            }
        },
        "destinationConfig": {
            "region": "us-west-2"
        }
    }'
    ```

    ### Sample response

    ```json Response
    {
        "pkiSync": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-aws-secrets-manager-cert-sync",
            "description": "an example certificate sync",
            "destination": "aws-secrets-manager",
            "isAutoSyncEnabled": true,
            "destinationConfig": {
                "region": "us-east-1",
                "keyId": "alias/my-kms-key"
            },
            "syncOptions": {
                "canRemoveCertificates": true,
                "preserveSecretOnRenewal": true,
                "canImportCertificates": false,
                "includeRootCa": false,
                "certificateNameSchema": "myapp-{{certificateId}}",
                "fieldMappings": {
                    "certificate": "ssl_cert",
                    "privateKey": "ssl_key",
                    "certificateChain": "ssl_chain",
                    "caCertificate": "ssl_ca"
                }
            },
            "applicationId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "connectionId": "550e8400-e29b-41d4-a716-446655440000",
            "createdAt": "2023-01-01T00:00:00.000Z",
            "updatedAt": "2023-01-01T00:00:00.000Z"
        }
    }
    ```
</Tab>

</Tabs>

Certificate Management

The AWS Secrets Manager Certificate Sync provides:

Automatic Deployment: Deploy certificates in Infisical to AWS Secrets Manager as JSON secrets with customizable field names.
Certificate Updates: Update certificates in AWS Secrets Manager when renewals occur.
Expiration Handling: Optionally remove expired certificates from AWS Secrets Manager (if enabled).
Format Preservation: Maintain certificate format during sync operations.
Field Customization: Map certificate data to custom field names that match your application requirements.
CA Certificate Support: Include CA certificates in secrets for complete certificate chain management.
KMS Encryption: Optionally use custom KMS keys for secret encryption.
Regional Deployment: Deploy secrets to specific AWS regions.

<Note> AWS Secrets Manager Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed. </Note>

Manual Certificate Sync

You can manually trigger certificate synchronization to AWS Secrets Manager using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

Secret Naming Constraints

AWS Secrets Manager has specific naming requirements for secrets:

Allowed Characters: Letters, numbers, hyphens (-), and underscores (_) only
Length: 1-512 characters

FAQ

<Accordion title="Can I import certificates from AWS Secrets Manager back into Infisical?"> AWS Secrets Manager does not support importing certificates back into Infisical due to the nature of AWS Secrets Manager where certificates are stored as JSON secrets rather than managed certificate objects. </Accordion>

What's Next?

<CardGroup cols={2}> <Card title="AWS Certificate Manager" icon="aws" href="/documentation/platform/pki/applications/certificate-syncs/aws-certificate-manager"> Import certificates into ACM for AWS services. </Card> <Card title="Auto-Renewal" icon="arrows-spin" href="/documentation/platform/pki/applications/certificates#server-driven-renewal"> Enable automatic certificate renewal and syncing. </Card> <Card title="Alerting" icon="bell" href="/documentation/platform/pki/applications/alerting/overview"> Get notified about certificate lifecycle events. </Card> <Card title="Other Sync Destinations" icon="arrows-rotate" href="/documentation/platform/pki/applications/certificate-syncs/overview"> View all supported sync destinations. </Card> </CardGroup>