The aws_secrets_manager store enables Spice to read secrets from AWS Secrets Manager by specifying the secret’s name with a selector.
The store reads keys from the secret named in the selector. In the above example my_secret_name must be defined in AWS Secrets Manager, and any keys referenced using ${aws:my_key} will look for a key my_key within my_secret_name.
A complete spicepod definition with a dataset that uses a secret from AWS Secrets Manager.
Spice will automatically load credentials to connect to AWS Secrets Manager from the following sources in order.
Environment Variables:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN (if using temporary credentials)Shared AWS Config/Credentials Files:
Config file: ~/.aws/config (Linux/Mac) or %UserProfile%\.aws\config (Windows)
Credentials file: ~/.aws/credentials (Linux/Mac) or %UserProfile%\.aws\credentials (Windows)
The AWS_PROFILE environment variable can be used to specify a named profile, otherwise the [default] profile is used.
Supports both static credentials and SSO sessions
Example credentials file:
:::tip To set up SSO authentication:
aws configure sso to configure a new SSO profileAWS_PROFILE=sso-profileaws sso login --profile sso-profile to start a new SSO session
:::AWS STS Web Identity Token Credentials:
The connector will try each source in order until valid credentials are found. If no valid credentials are found, an authentication error will be returned.
:::note[IAM Permissions]
Regardless of the credential source, the IAM role or user must have appropriate secretsmanager permissions (e.g., secretsmanager:GetSecretValue) to access the secrets. If the Spicepod connects to multiple different AWS services, the permissions should cover all of them.
:::
The IAM role or user needs the following permissions to access secrets in Secrets Manager:
| Permission | Purpose |
|---|---|
secretsmanager:GetSecretValue | Required. Allows reading secret values. |
ECS Container Credentials:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI which are automatically injected by ECS.AWS EC2 Instance Metadata Service (IMDSv2):