# AWS Secret Manager
Secure secrets in AWS Secret Manager and use them in Kafka Connect.
{% hint style="danger" %}
Secrets will only be reloaded if the Connector restarts.
{% endhint %}
## Authentication
Two authentication methods are supported:
1. **credentails**. When using this configuration the **access-key** and **secret-key** are used.
2. **default**. This method uses the default credential provider chain from AWS. The default credential first checks environment variables for configuration. If the environment configuration is incomplete, Java props, then the profile file and finally it will try managed identity.
## Configuring the plugin
| Name | Description | Default |
| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| aws.auth.method | AWS authenticate method. ‘credentials’ to use the
provided credentials or ‘default’ for the standard AWS provider chain
| credentials |
| aws.access.key | AWS client key. Valid is auth.method is ‘credentials’ | |
| aws.secret.key | AWS secret key. Valid is auth.method is ‘credentials’ | |
| aws.region | AWS region the for the Secrets manager | |
| file.dir | The base location for any files to stored | |
| file.write | Writes secrets to file on path. Required for Java trust stores, key stores, certs that need to be loaded from file. For ease of use for the secret provider, this is disabled by default. | false |
| secret.default.ttl | If no TTL is configured in AWS Secrets Manager, apply a default TTL (in milliseconds). | (not enabled) |
| aws.endpoint.override | Specify the secret provider endpoint. | (not enabled) |
| secret.type | Specify the type of secrets stored in Secret Manager. Defaults to JSON, to enable String secret values set this property as STRING. | JSON |
Example Worker Properties
{% code title="worker.props" %}
```properties
config.providers=aws
config.providers.aws.class=io.lenses.connect.secrets.providers.AWSSecretProvider
config.providers.aws.param.aws.auth.method=credentials
config.providers.aws.param.aws.access.key=your-client-key
config.providers.aws.param.aws.secret.key=your-secret-key
config.providers.aws.param.aws.region=your-region
config.providers.aws.param.file.dir=/connector-files/aws
```
{% endcode %}
## Usage
To use this provider in a connector, reference the SecretManager containing the secret and the key name for the value of the connector property.
The indirect reference is in the form **${provider:path:key}** where:
* **provider** is the name of the provider in the worker property file set above
* **path** is the name of the secret
* **key** is the name of the secret key in secret to retrieve. AWS can store multiple keys under a path.
For example, if we store two secrets as keys:
* my\_username\_key with the value lenses and
* my\_password\_key with the value my-secret-password
in a secret called my-aws-secret we would set:
{% code title="connector.props" %}
```properties
name=my-sink
class=my-class
topics=mytopic
username=${aws:my-aws-secret:my_username_key}
password=${aws:my-aws-secret:my_password_key}
```
{% endcode %}
This would resolve at runtime to:
```properties
name=my-sink
class=my-class
topics=mytopic
username=lenses
password=my-secret-password
```
### Data encoding
AWS SecretManager BinaryString (API only), is not supported. The secrets must be stored under the secret name in key, value pair format. The provider checks the SecretString API and expects a JSON string to be returned.
For example for an RDS Postgre secret, the following is returned by AWS Secret Manager:
```json
{
"username": "xxx",
"password": "xxx",
"engine": "postgres",
"host": "xxx",
"port": 5432,
"dbname": "xxx",
"dbInstanceIdentifier": "xxxx"
}
```
The provider handles the following types:
* utf\_8
* base64
The provider will look for keys prefixed with:
* UTF8
* UTF\_FILE
* BASE64
* BASE64\_FILE
The **`UTF8`** means the value returned is the string retrieved for the secret key. The **`BASE64`** means the value returned is the base64 decoded string retrieved for the secret key.
If the value for the tag is **UTF8\_FILE** the string contents are written to a file. The returned value from the connector configuration key will be the location of the file. The file location is determined by the file.dir configuration option is given to the provider via the Connect **`worker.properties`** file.
If the value for the tag is **`BASE64_FILE`** the string contents are based64 decoded and written to a file. The returned value from the connector configuration key will be the location of the file. For example, if a connector needs a PEM file on disk, set the prefix as **`BASE64_FILE`**. The file location is determined by the file.dir configuration option is given to the provider via the Connect **`worker.properties`** file.
If no prefix is found the contents of the secret string are returned.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.lenses.io/latest/connectors/secret-providers/aws-secret-manager.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.