AWS Parameter Store

Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.

Prerequisites:

Set up and add envars to Infisical Cloud

To connect your Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the AWS IAM Role for the integration.

If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.

The following steps are for instances not deployed on AWS

Create an IAM User

Navigate to Create IAM User in your AWS Console.

Create an Inline Policy

Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeAnyRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/*"
    }
  ]
}

Obtain the IAM User Credentials

Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.

Set Up Integration Keys

Set the access key as CLIENT_ID_AWS_INTEGRATION.
Set the secret key as CLIENT_SECRET_AWS_INTEGRATION.

Create the Managing User IAM Role for AWS Parameter Store

Navigate to the Create IAM Role page in your AWS Console.
Select AWS Account as the Trusted Entity Type.
Choose Another AWS Account and enter 381492033652 (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
Optionally, enable Require external ID and enter your project ID to further enhance security.

Add Required Permissions for the IAM Role

Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSMAccess",
      "Effect": "Allow",
      "Action": [
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:GetParameters",
        "ssm:GetParametersByPath",
        "ssm:DescribeParameters",
        "ssm:DeleteParameters",
        "ssm:AddTagsToResource", // if you need to add tags to secrets
        "kms:ListKeys", // if you need to specify the KMS key
        "kms:ListAliases", // if you need to specify the KMS key
        "kms:Encrypt", // if you need to specify the KMS key
        "kms:Decrypt" // if you need to specify the KMS key
      ],
      "Resource": "*"
    }
  ]
}

Copy the AWS IAM Role ARN

Authorize Infisical for AWS Parameter Store

Navigate to your project’s integrations tab in Infisical.
Click on the AWS Parameter Store tile.
Select the AWS Assume Role option.
Provide the AWS IAM Role ARN obtained from the previous step and press connect.

Start integration

Select which Infisical environment secrets you want to sync to which AWS Parameter Store region and indicate the path for your secrets. Then, press create integration to start syncing secrets to AWS Parameter Store.

Infisical requires you to add a path for your secrets to be stored in AWS Parameter Store and recommends setting the path structure to /[project_name]/[environment]/ according to best practices. This enables a secret like TEST to be stored as /[project_name]/[environment]/TEST in AWS Parameter Store.

Infrastructure Integrations

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations

AWS Parameter Store