AWS Secrets Manager

AWS Secrets Manager is Amazon's cloud service for securely storing and managing secrets, API keys, and other sensitive data. The EnvManager AWS Secrets Manager integration allows you to automatically sync your environment variables from EnvManager directly to secrets in AWS Secrets Manager.

When you connect AWS Secrets Manager to EnvManager, each variable is stored as an individual secret in your chosen AWS region. No more manually creating secrets or copying values between tools.

What You Can Do

With the AWS Secrets Manager integration, you can:

  • Connect your AWS account with an IAM access key and secret
  • Sync variables as secrets — each variable becomes its own secret in Secrets Manager
  • Use a name prefix to namespace your secrets with path-style organization (e.g., envmanager/production/)
  • Choose which environments to sync — control exactly which EnvManager environments push to AWS
  • Automatic syncing — secrets update in AWS whenever you change variables in EnvManager
  • Manual sync control — trigger syncs on demand when you need them
  • Track sync history — see when secrets were synced and if any errors occurred

Before You Begin

To connect AWS Secrets Manager, you need:

  • An EnvManager account with a project created
  • An AWS account
  • Admin or Owner role in your EnvManager organization (required to manage integrations)
  • An IAM user with programmatic access (access key ID and secret access key)
  • IAM permissions for Secrets Manager (CreateSecret, PutSecretValue, DeleteSecret)

The sections below walk you through creating an IAM user, attaching the correct permissions, and connecting to EnvManager.

How to Create an IAM User

If you already have an IAM user with the required permissions, you can skip to Connecting Your AWS Secrets Manager.

Open the AWS Console

Go to console.aws.amazon.com and sign in with your AWS account.

In the search bar at the top, type IAM and select IAM from the results.

Create a New User

In the left menu, click Users, then click Create user at the top of the page.

Fill In User Details

  • User name: envmanager-sync (or any name you prefer)
  • Click Next

Set Permissions

  1. Select Attach policies directly
  2. Click Create policy to open the policy editor in a new tab
  3. Select the JSON tab and paste the minimal policy below
  4. Click Next, give the policy a name (e.g., EnvManagerSecretsAccess), and click Create policy
  5. Return to the user creation tab, click the refresh button, and search for the policy you just created
  6. Select it and click Next, then Create user

Create an Access Key

  1. Click on the user you just created
  2. Go to the Security credentials tab
  3. Under Access keys, click Create access key
  4. Select Third-party service as the use case
  5. Click Create access key

Copy both the Access key ID and the Secret access key immediately — the secret is only shown once.

Security Note: The secret access key grants access to your AWS Secrets Manager. Do not commit it to version control or share it publicly. EnvManager stores the credentials encrypted. Consider rotating access keys periodically for security.

Minimal IAM Policy

Use this policy to grant only the permissions EnvManager needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:PutSecretValue",
        "secretsmanager:DeleteSecret"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:envmanager/*"
    }
  ]
}

Resource scoping: This policy limits access to secrets whose names start with envmanager/. If you use a different prefix (or no prefix), update the Resource ARN to match. For example, use arn:aws:secretsmanager:*:*:secret:* for unrestricted access to all secrets (less secure), or arn:aws:secretsmanager:*:*:secret:myprefix/* for a custom prefix.

Connecting Your AWS Secrets Manager

From your EnvManager dashboard, go to Settings and click the Integrations tab.

Open the AWS Connect Modal

Find the AWS Secrets Manager card and click the Connect button.

Enter Connection Details

Fill in the form:

  1. Connection Name — Give this connection a friendly name (e.g., "Production AWS")
  2. Access Key ID — The IAM access key ID (starts with AKIA...)
  3. Secret Access Key — The secret access key you copied when creating the access key
  4. Region — Select the AWS region where your secrets should be stored (e.g., US East - N. Virginia)

Validate Credentials

Click Validate Credentials to test the connection. EnvManager will verify that your access key ID and secret access key are valid by calling the AWS STS API.

You'll see a success indicator with your AWS account ID confirmed once validation passes.

Complete the Connection

Click Connect to save the connection. Your AWS Secrets Manager is now linked to this EnvManager organization.

Configuring Your Sync

After connecting AWS Secrets Manager, you need to configure which environments sync and how secrets are named.

Open Configuration

On the AWS Secrets Manager integration card, click Configure to open the sync configuration modal.

Enable Environments for Sync

You'll see a list of your EnvManager environments. Toggle on each environment you want to sync to AWS Secrets Manager.

You can enable all environments or just specific ones — for example, only syncing your Production environment.

Set an Optional Secret Name Prefix

A prefix is added to the beginning of every secret name in AWS. This is useful to:

  • Namespace your secrets (e.g., envmanager/production/ so secrets appear as envmanager/production/DATABASE_URL)
  • Avoid naming conflicts with existing secrets
  • Identify which secrets were created by EnvManager
  • Organize secrets by path in the AWS console

Leave this field empty if you don't need a prefix.

Configure Sync Options

Choose what and when to sync:

OptionDescriptionRecommended
Auto-syncAutomatically sync when variables change in EnvManagerEnabled for most use cases
Sync secretsInclude secret variablesEnabled
Sync regular variablesInclude non-secret variablesEnabled

Save Configuration

Review your settings and click Save Configuration. Your sync is now active.

Syncing Variables

Automatic Syncing

If you enabled auto-sync, EnvManager will automatically push variables to AWS Secrets Manager whenever:

  • You add a new variable (creates a new secret)
  • You edit an existing variable's value (updates the secret)
  • You delete a variable (the secret is deleted from AWS)

Changes typically appear in AWS within seconds.

Manual Syncing

You can trigger a sync manually at any time:

Click Sync Now

On the AWS Secrets Manager integration card, click the Sync Now button.

Watch the Progress

A progress indicator shows the sync status. The sync will:

  1. Gather variables from enabled EnvManager environments
  2. Create or update each variable as a secret in AWS Secrets Manager
  3. Report success or errors per environment

Verify in AWS Console

Open the AWS Secrets Manager console and verify that your secrets appeared correctly.

Manual sync is useful when setting up the integration for the first time or when you want to immediately verify a change reached AWS.

Secret Naming in AWS

AWS Secrets Manager has flexible naming rules that allow most characters:

  • Letters, numbers, and these special characters are allowed: / _ + = . @ -
  • Maximum length is 512 characters
  • Path-style names with / separators are supported natively

If you set a prefix, it is prepended to each variable name:

EnvManager VariablePrefixAWS Secret Name
DATABASE_URL(none)DATABASE_URL
DATABASE_URLenvmanager/prod/envmanager/prod/DATABASE_URL
NEXT_PUBLIC_APImyapp/myapp/NEXT_PUBLIC_API

Underscores preserved: Unlike Azure Key Vault, AWS Secrets Manager allows underscores in secret names. Your variable names pass through unchanged — DATABASE_URL stays as DATABASE_URL.

Path-style organization: AWS Secrets Manager supports / in secret names, making it easy to organize secrets by application or environment. Use a prefix like myapp/production/ to keep your secrets cleanly organized in the AWS console.

Managing Your Connection

Updating Configuration

To change which environments sync or update the prefix:

  1. Click Configure on the AWS Secrets Manager integration card
  2. Make your changes
  3. Click Save Configuration

The new configuration takes effect immediately for the next sync.

Disconnecting AWS Secrets Manager

To remove the AWS Secrets Manager integration:

  1. Click the Disconnect button on the integration card
  2. Confirm the disconnection in the dialog that appears

Important: Disconnecting does NOT remove secrets from AWS Secrets Manager. Your secrets remain in AWS, but future changes in EnvManager won't sync. You can manually delete secrets from the AWS console if needed.

Reconnecting

If you disconnect and want to reconnect later:

  • Click Connect again and go through the connection process
  • You can use the same IAM credentials or create new access keys
  • You'll need to reconfigure your environment toggles and prefix

Tips & Best Practices

Start with Manual Sync

When setting up the integration for the first time:

  1. Configure with auto-sync disabled
  2. Trigger a manual sync to verify secrets appear in AWS Secrets Manager
  3. Confirm the secret names and values look correct in the AWS console
  4. Enable auto-sync once you're confident everything is working

Use a Prefix to Namespace Your Secrets

If your AWS Secrets Manager is used for multiple applications or already has existing secrets, use a path-style prefix to keep EnvManager-managed secrets clearly identified. For example, envmanager/production/ makes it obvious which secrets belong to this application and environment.

Rotate Access Keys Periodically

AWS recommends rotating access keys regularly. To rotate:

  1. Create a new access key for the IAM user in the AWS console
  2. Update the connection in EnvManager by disconnecting and reconnecting with the new key
  3. Delete the old access key from the IAM user
  4. Verify syncing works with the new credentials

Limit IAM Permissions

The minimal IAM policy above grants only the permissions EnvManager needs — CreateSecret, PutSecretValue, and DeleteSecret. Avoid granting broader permissions like secretsmanager:* or attaching the SecretsManagerReadWrite managed policy, which provides more access than needed.

Troubleshooting

"Invalid AWS credentials" error during validation

Cause: The access key ID or secret access key is incorrect.

Solution:

  1. Verify the access key ID starts with AKIA (for long-term credentials)
  2. Make sure you copied the full secret access key when it was created
  3. Check that the IAM user has not been disabled or deleted
  4. If the access key was compromised and rotated, use the new credentials
  5. Re-enter the credentials in EnvManager and try validation again

"Access denied" error during sync

Cause: The IAM user does not have the required Secrets Manager permissions.

Solution:

  1. Open the IAM console and find the user
  2. Check that the correct policy is attached (with secretsmanager:CreateSecret, PutSecretValue, DeleteSecret)
  3. Verify the policy Resource ARN matches your secret prefix — if you use envmanager/prod/ as a prefix, the policy must cover arn:aws:secretsmanager:*:*:secret:envmanager/prod/*
  4. Check if any Service Control Policies (SCPs) in your AWS Organization are blocking access

"Invalid region" error

Cause: The selected region is not available or the Secrets Manager service is not enabled in that region.

Solution:

  1. Make sure you selected a valid AWS region from the dropdown
  2. Verify Secrets Manager is available in your chosen region (it's available in all standard regions)
  3. Try selecting a different region

Variables not appearing in AWS Secrets Manager

Cause: The sync may have failed, or the environment is not enabled for sync.

Solution:

  1. Click Configure and verify that the relevant environments are toggled on
  2. Check the sync history for error messages on the integration card
  3. Trigger a manual sync and watch for errors
  4. Make sure you're looking in the correct AWS region in the console

Auto-sync not triggering

Cause: Auto-sync may be disabled in the configuration, or the sync is failing silently.

Solution:

  1. Click Configure and verify Auto-sync is enabled
  2. Check the sync history for recent failed syncs
  3. Try a manual sync to confirm the connection is still working
  4. If access keys were rotated, reconnect with the new credentials

Variables Overview

Learn how to create and manage variables in EnvManager.

Environments

Understand environments and how they organize your variables.

Azure Key Vault Integration

Sync variables to Azure Key Vault.

Access Control

Manage who can configure integrations and sync variables.

Previous
Integrations Overview
Next
Vercel Integration

Get DevOps tips in your inbox

Security best practices and product updates. No spam.

No spam. Unsubscribe anytime.