# Setting up Secrets Management for Projects
As an alternative to an individual secret for each user, you can manage access at the level of the project.
You must change secrets manager settings so that connections in the project can use the specified role in the project settings. Customers can then create project-specific IAM roles to limit the use of secrets to connections within the project.
WARNING
Switching to project-specific secrets management causes all previously configured external secrets references to stop working. Projects that use secrets stored in AWS Secrets Manager must be set up individually in Project settings.
NOTE
In the example used in this article, we chose to demonstrate a simple example of configuring the AWS external role ID without changing the IAM permissions policy.
If your organization requires different roles scoped to different access permissions, we recommend that you configure these new permissions by setting the scope to specific secret resources. This enables you to have more granular control over which connection credentials to use in each project.
After your AWS Secrets Manager successfully connects to Workato, you can start using secrets when configuring connections.
# Prerequisites
To complete the steps in this guide, you must have the following:
In Workato:
- An account with the Data Monitoring/Advanced Security & Compliance add-on. For more information, contact your Workato Customer Success Manager.
In Amazon Web Services (AWS):
- Permissions that allow you to create and modify IAM permissions policies
- Permissions that allow you to create and modify IAM roles
# Step 1: Select the scope for secrets management
Sign in to your Workato account.
Navigate to Settings > Secrets management.
Select Scope option: Set up secrets management for each project individually.
If you have previously set up Secrets Management at the Workspace level, Workato notifies you that All previously configured references to external secrets will stop working.
Remember that you must now set up secrets in each project individually.
Click Save changes.
If you are switching Secrets management scopes, confirm that you are switching from secrets management at workspace level to project level when prompted.
Remember that you must now set up secrets in each project individually.
Click Use project-specific secrets.
# Step 2: Select the project
Log in to Workato and navigate to your projects.
Select the project that you plan to configure with secrets management.
Navigate to Settings > Secrets management.
Select AWS secrets manager in the Which secrets manager do you want to use? field.
Choose a guide for next steps in the process:
- Create a new permission policy and role in AWS
- Add the role to your Workato account
# Step 3: Select the AWS Account ID and external ID
In the Create a new permission policy and role in AWS guide detail, Workato displays the IAM details. Note them to use in the following steps:
- AWS Account ID
- Copy the AWS Account ID value, to use in ongoing configuration of the secrets manager.
- External ID for ProjectName
- Copy the value, to use in ongoing configuration of the secrets manager.
- Here, we configure access to the project WorkatoDB_Project1.
- The value should be of the form
workato_iam_external_id_
, wherewwwww _pppp
is the ID of the Workato workspace, andwwwww
is the ID of the project.pppp
# Step 4: Create an AWS IAM role for your Workato project
Refer to the IAM role-based authentication for AWS for instructions on how to create an IAM role for Workato and an IAM permissions policy (if needed).
# Step 5: Retrieve and add the role ARN in Workato
You must complete the following steps to finalize the setup:
Last updated: 1/2/2024, 7:18:05 PM