The AWS Secrets Manager plugin supports the following types of credentials.

Once set, run the following code in the AWS CLI to test the permissions.

# Test list secrets permission
aws secretsmanager list-secrets --region us-east-1
 
# Test describe secret permission
aws secretsmanager describe-secret --secret-id "secret-name-or-arn" --region us-east-1
 
# Test with date filters for incremental scanning
aws secretsmanager list-secrets --region us-east-1 --filters Name=name,Values=test

Creating permanent IAM user credentials

The IAM user or role must have the following ACM Permissions

Identiifer

Description

secretsmanager:ListSecrets

Required to discover all secrets in the specified region. Without this permission, the plugin cannot enumerate secrets, and the scan will fail immediately. 

secretsmanager:DescribeSecret

Required to retrieve detailed metadata for each secret, including rotation settings, version information, tags, and KMS key ID. Without this permission, the plugin can list secrets but cannot retrieve their comprehensive details.

Follow the steps below to create a credential with these permissions.

To create permanent IAM user credentials

  1. Log in to the AWS IAM Console at https://console.aws.amazon.com/iam/
  2. Navigate to Users  Add user
  3. Enter a username - for example: "secretsmanager-discovery-plugin".
  4. Select Programmatic access as the access type
  5. Click Next: Permissions
  6. Attach the required permissions policy. For example: 
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "secretsmanager:ListSecrets",
    "secretsmanager:DescribeSecret"
    ],
    "Resource": "*"
    }
    ]
    }
  7. Complete the wizard and click Create user
  8. Save the Access Key ID and Secret Access Key displayed on the final screen. 

    You won't be able to retrieve the secret key again.

  9. Use these credentials in the plugin configuration and leave sessionToken empty.

Creating temporary credentials

For Temporary Credentials (STS), you may need the following permissions.

Identiifer

Allowed actions

sts:GetSessionToken

Required only when using temporary credentials to generate or validate session tokens.

Follow the steps below to create a credential with these permissions.

To create temporary credentials

  1. Ensure you have an IAM role configured with the required permissions.
  2. Use AWS CLI or SDK to assume the role: 
    aws sts assume-role \
    --role-arn arn:aws:iam::123456789012:role/ACMReadRole \
    --role-session-name acm-plugin-session
  3.  Extract the following fields from the response: 
    • AccessKeyId 
    • SecretAccessKey
    • SessionToken 
  4. Use all three values in the plugin configuration. 

    Temporary credentials typically expire within 1-12 hours and must be refreshed.