# AWS Secret Manager

## AWS Secrets Manager

Connect AWS Secrets Manager to Paradime so you can reference secrets by ARN in your environment variables and connection profiles — without ever storing plaintext credentials in Paradime.

### Prerequisites

* An AWS account with AWS Secrets Manager enabled.
* Create an IAM service-account user with programmatic access (access key ID + secret access key) e.g. `paradime-ssm-access-service-account`
* An IAM role that Paradime will assume via `sts:AssumeRole` to fetch secrets.
* The IAM role must have `secretsmanager:GetSecretValue` permission on the secrets you want to reference.

### Step 1 — Create an IAM role for Paradime

1. Open the **IAM Console** and create a new role, call it `ParadimeSSMAccessRole`.
2. Get the ARN of the IAM user you created that will have the programmatic access
3. Select **Custom trust policy**, call it and add a trust relationship that allows your IAM user to assume the role:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<arn of the service account user>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

3. Attach an inline policy, call it `ParadimeSSMAccessPolicy` granting access to the secrets Paradime needs:

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
          "<arn_1 of secrets that Paradime should have access to>",
          "<arn_2 of secrets that Paradime should have access to>"
      ]
    }
  ]
}
```

Add each individual secret you want to give Paradime access to in the Resource section.

{% hint style="info" %}
Scope the `Resource` field to only the secrets Paradime needs. Avoid using `*` in production.
{% endhint %}

### Step 2 — Connect in Paradime

1. Navigate to **Settings > Integrations**.
2. Find **AWS Secrets Manager** under the **Secret Managers** category and click **Connect**.
3. Fill in the required fields:

| Field                 | Description                                                      |
| --------------------- | ---------------------------------------------------------------- |
| **Access Key ID**     | The IAM user's access key ID (e.g. `AKIA...`).                   |
| **Secret Access Key** | The IAM user's secret access key.                                |
| **Role ARN**          | The ARN of the IAM role created in Step 1.                       |
| **Region**            | The AWS region where your secrets are stored (e.g. `us-east-1`). |

4. Click **Test connection**. Paradime will perform an `sts:AssumeRole` call to verify the credentials work end-to-end.

### Step 3 — Reference secrets

Once connected, you can use AWS Secrets Manager ARNs anywhere Paradime accepts environment variable values or connection profile fields.

#### Reference format

```
arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>
```

#### Extracting a JSON key

If your secret value is a JSON object, append `#key_name` to extract a specific field:

```
arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/db-AbCdEf#password
```

This resolves to the value of the `password` key inside the secret's JSON payload.

#### Example — Bolt environment variable

In your Bolt schedule's environment variables, set:

| Variable             | Value                                                                                 |
| -------------------- | ------------------------------------------------------------------------------------- |
| `SNOWFLAKE_PASSWORD` | `arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/snowflake-AbCdEf#password` |

Paradime resolves the ARN to the live secret value at schedule run time. The plaintext value is never stored in Paradime.

### Disconnecting

To remove the AWS Secrets Manager integration:

1. Navigate to **Settings > Integrations**.
2. Click **Disconnect** on the AWS Secrets Manager card.

{% hint style="warning" %}
Any environment variables or profile fields that reference AWS ARNs will fail to resolve after disconnecting. Update them to use literal values before disconnecting.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.paradime.io/app-help/integrations/aws-secret-manager.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.