Skip to main content

AWS Secrets Manager Integration

GGScout supports integration with AWS Secrets Manager to collect and monitor your secrets. This guide will help you set up and configure the integration.

Configuration

To configure GGScout to work with AWS Secrets Manager, add the following configuration to your ggscout.toml file:

[sources.aws-source-playground]
type = "awssecretsmanager"
fetch_all_versions = true
profile_name = "default"
region = "us-east-1"

Configuration Parameters

ParameterDescriptionRequired
typeMust be set to "awssecretsmanager"Yes
fetch_all_versionsWhether to collect all versions of secretsNo
profile_nameAWS profile name to useNo
regionAWS region where secrets are storedNo

Authentication

GGScout uses the AWS Rust client for authentication, which follows the standard AWS credential resolution process. The authentication is handled automatically by the AWS SDK, and the TOML configuration file only allows specifying the profile_name parameter.

note

Authentication methods cannot be directly configured in the TOML file. Instead, you must provide the necessary AWS credentials through environment variables or AWS credential files.

AWS Credential Resolution

The AWS Rust client will attempt to load credentials in the following order:

  1. Environment variables:

    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_SESSION_TOKEN (if using temporary credentials)

  2. AWS credential files:

    • ~/.aws/credentials
    • ~/.aws/config

  3. IAM roles for Amazon EC2 or ECS tasks

  4. IAM user federation

Environment Variables

For direct authentication, you must set the following environment variables:

  • AWS_ACCESS_KEY_ID: Your AWS access key ID
  • AWS_SECRET_ACCESS_KEY: Your AWS secret access key
  • AWS_SESSION_TOKEN: Your AWS session token (if using temporary credentials)
  • AWS_REGION: The AWS region where your secrets are stored
tip

For production environments, it's recommended to use IAM roles or instance profiles rather than hardcoding credentials in environment variables.

Required AWS Permissions

To fetch secrets from AWS Secrets Manager, the identity used by GGScout must have the appropriate IAM permissions. The minimum required permissions are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecrets",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:*"
    }
  ]
}

Best Practices

  1. Use IAM roles or instance profiles when running on AWS infrastructure
  2. Follow the principle of least privilege for IAM permissions
  3. Enable fetch_all_versions to track changes in your secrets over time
  4. Regularly rotate access keys
  5. Use separate AWS accounts or regions for different environments
Last updated on

Something we didn’t cover?

See our Roadmap

Subscribe on GitHub

Submit a request

API status