Skip to main content

AWS Secrets Manager Secret Store

The aws_secrets_manager store enables Spice to read secrets from AWS Secrets Manager by specifying the secret’s name with a selector.

secrets:
  from: aws_secrets_manager:my_secret_name
  name: aws

The store reads keys from the secret named in the selector. In the above example my_secret_name must be defined in AWS Secrets Manager, and any keys referenced using ${aws:my_key} will look for a key my_key within my_secret_name.

Example​

A complete spicepod definition with a dataset that uses a secret from AWS Secrets Manager.

version: v1
kind: Spicepod
name: taxi_trips
secrets:
  - from: aws_secrets_manager:dremio
    name: dremio

datasets:
- from: dremio:datasets.taxi_trips
  name: taxi_trips
  description: dremio taxi trips
  params:
    dremio_endpoint: grpc://20.163.171.81:32010
    dremio_username: ${dremio:username}
    dremio_password: ${dremio:password}

AWS Secrets Manager Access​

To use AWS Secrets Manager, an AWS account and a user in IAM Identity Center with the secretsmanager:GetSecretValue permission are required. Read Authentication and access control for AWS Secrets Manager for details.

Use the AWS CLI to configure AWS access:

aws configure

Check configuration with:

aws sts get-caller-identity
aws secretsmanager get-secret-value --secret-id MyTestSecret