AWS Secrets Manager Credential Provider Secret Path Expressions

Use the path expressions listed in this topic to use the AWS Secrets Manager credential providers in your source authentication configurations.

The AWS Secrets Manager Credential Provider can provide any field supported by AWS Secrets manager, such as username and password secrets.

Path syntax: {Secret ARN}/{secretKey}

For example:

Before Encoding

  • Using Secret ARN :

secrets://aws-vault/arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName/username

Important
The URL path should always start with the prefix, secrets://. Each attribute in the URL path must be URL-encoded. Each URL attribute in the path is case-sensitive.

After Encoding

After you encode the URL path, it should appear as follows:

  • Using Secret ARN :

secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/username

The following is an explanation of the attributes of this URL:

  • Aws-vault – Configured Credential Provider in the Credential Provider Section

  • arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName – Secret Path ARN

  • username – Secret Key which needs to be fetched from the AWS secrets manager.

Tip
Use urlencoder.org to encode your URL attributes.

Path syntax: {Secret ARN}/{secretKey}

For example:

Before Encoding

  • Using Secret ARN :

secrets://aws-vault/arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName/password

Important
The URL path should always start with the prefix, secrets://. Each attribute in the URL path must be URL-encoded. Each URL attribute in the path is case-sensitive

After Encoding

After you encode the URL path, it should appear as follows:

  • Using Secret ARN :

secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/password

The following is an explanation of the components of this URL:

  • Aws-vault – Configured Credential Provider in the Credential Provider Section

  • arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName – Secret Path ARN

  • password – Secret Key which needs to be fetched from the AWS secrets manager.

Tip
Use urlencoder.org to encode your URL attributes.

If any secret paths have a prefix or a suffix, you must append a query parameter to the secret path as follows:

  • To add a prefix – ?prefix=<prefix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin then the secret path expression will be as follows to add the required prefix:

    secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/password?prefix=DomainOne%5C

  • To add a suffix – ?suffix=<suffix>

    For example, if the secret value returned after evaluation is localadministrator, but the complete value required by the secret field is localadminstrator@sp.com then the secret path expression will be as follows to add the required suffix:

    secrets://aws-vault/arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName/password?suffix=%40sp.com

  • To add a prefix and suffix – ?prefix=<prefix>&suffix=<suffix>

    For example, if the secret value returned after evaluation is LocalAdmin, but the complete value required by the secret field is DomainOne\LocalAdmin@sp.com then the secret path expression will be as follows to add the required prefix:

    secrets://aws-vault/arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName/password?prefix=DomainOne%5C&suffix=%40sp.com

Important
All input parameters must be encoded.

Standard format for credential path

secrets://{vault-name}/{secret ARN}/{secretKey}?prefix=someValue&suffix=someValue2&versionId=123&versionStage=PREVIOUS

Important
Prefix, suffix, versionId and versionStage are optional.

The AWS Secrets Manager has provision to store secrets in two ways:

  1. In Key value / JSON / Map format

  2. Plain text format.

Note
For the secrets which are stored in plain text format, there is no need to provide the “secret key” in the credential path.

For example:

Before Encoding

  • Using Secret ARN :

secrets://aws-vault/arn:aws:secretsmanager:us-east-1:441113549707:secret:orgName/cred/applicationName/directoryName

Important
The URL path should always start with the prefix, secrets://. Each attribute in the URL path must be URL-encoded. Each URL attribute in the path is case-sensitive

After Encoding

After you encode the URL path, it should appear as follows:

  • Using Secret ARN :

secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName

Other Query Parameters

  1. versionId – The unique identifier of the version of the secret to retrieve. If you include both this parameter and VersionStage, the two parameters must refer to the same secret version. If you don't specify both the VersionStage and VersionId, then Secrets Manager returns the AWSCURRENT version.

    Example :

    secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/password?versionId=123

  2. versionStage – The staging label of the version of the secret to retrieve.

    Secrets Manager uses staging labels to keep track of different versions during the rotation process. If you include both this parameter and VersionId, the two parameters must refer to the same secret version. If you don't specify both VersionStage and VersionId, Secrets Manager returns the AWSCURRENT version.

    Example :

    secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/password?versionStage=AWSCURRENT

  3. versionId and versionStage – If you include both the parameters VersionStage and VersionId, the two parameters must refer to the same secret version. If you don't specify both the VersionStage and VersionId, Secrets Manager returns the AWSCURRENT version.

    Example :

    secrets://aws-vault/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A441113549707%3Asecret%3AorgName%2Fcred%2FapplicationName%2FdirectoryName/password?versionId=123&versionStage=AWSCURRENT