AWS Secret Manager

AWS Secrets Manager

Connect AWS Secrets Manager to Paradime so you can reference secrets by ARN in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime.

Prerequisites

An AWS account with AWS Secrets Manager enabled.
Create an IAM service-account user with programmatic access (access key ID + secret access key) e.g. paradime-ssm-access-service-account
An IAM role that Paradime will assume via sts:AssumeRole to fetch secrets.
The IAM role must have secretsmanager:GetSecretValue permission on the secrets you want to reference.

Step 1 — Create an IAM role for Paradime

Open the IAM Console and create a new role, call it ParadimeSSMAccessRole.
Get the ARN of the IAM user you created that will have the programmatic access
Select Custom trust policy, call it and add a trust relationship that allows your IAM user to assume the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<arn of the service account user>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach an inline policy, call it ParadimeSSMAccessPolicy granting access to the secrets Paradime needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
          "<arn_1 of secrets that Paradime should have access to>",
          "<arn_2 of secrets that Paradime should have access to>"
      ]
    }
  ]
}

Add each individual secret you want to give Paradime access to in the Resource section.

Scope the Resource field to only the secrets Paradime needs. Avoid using * in production.

Step 2 — Connect in Paradime

Navigate to Settings > Integrations.
Find AWS Secrets Manager under the Secret Managers category and click Connect.
Fill in the required fields:

Field

Description

Access Key ID

The IAM user's access key ID (e.g. AKIA...).

Secret Access Key

The IAM user's secret access key.

Role ARN

The ARN of the IAM role created in Step 1.

Region

The AWS region where your secrets are stored (e.g. us-east-1).

Click Test connection. Paradime will perform an sts:AssumeRole call to verify the credentials work end-to-end.

Step 3 — Reference secrets

Once connected, you can use AWS Secrets Manager ARNs anywhere Paradime accepts environment variable values or connection profile fields.

Reference format

arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>

Extracting a JSON key

If your secret value is a JSON object, append #key_name to extract a specific field:

arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/db-AbCdEf#password

This resolves to the value of the password key inside the secret's JSON payload.

Example — Bolt environment variable

In your Bolt schedule's environment variables, set:

Variable

Value

SNOWFLAKE_PASSWORD

arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/snowflake-AbCdEf#password

Paradime resolves the ARN to the live secret value at schedule run time. The plaintext value is never stored in Paradime.

Disconnecting

To remove the AWS Secrets Manager integration:

Navigate to Settings > Integrations.
Click Disconnect on the AWS Secrets Manager card.

Any environment variables or profile fields that reference AWS ARNs will fail to resolve after disconnecting. Update them to use literal values before disconnecting.

Last updated 24 days ago

Was this helpful?