Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Store certificates in AWS Secrets Manager as JSON secrets for application retrieval. Certificates are stored with customizable field names for the certificate, private key, and chain.
Certificate Syncs are configured per Application. First select which certificates to sync, then configure the Secrets Manager destination.

Prerequisites

  • An AWS Connection with the following permissions:
    • secretsmanager:CreateSecret
    • secretsmanager:UpdateSecret
    • secretsmanager:GetSecretValue
    • secretsmanager:DeleteSecret
    • secretsmanager:ListSecrets
Certificates are stored as JSON secrets with configurable field names for certificate, private key, and chain.

Create a Secrets Manager Sync

  1. In your Application, go to the Certificate Syncs tab and click Create Sync.
  2. Select the AWS Secrets Manager option.
  3. Configure the Destination:
    • AWS Connection: The AWS Connection to authenticate with.
    • Region: The AWS region where secrets will be stored.
  4. Configure the Sync Options:
    • Enable Removal of Expired/Revoked Certificates: Remove certificates from the destination if they are no longer active.
    • Preserve Secret on Renewal: Update the existing secret on renewal instead of creating a new one.
    • Include Root CA: Include the Root CA certificate in the chain.
    • Certificate Name Schema: Customize secret names using {{certificateId}} placeholder.
    • Auto-Sync Enabled: Automatically sync certificates when changes occur.
  5. Configure the Field Mappings to customize how certificate data is stored:
    • Certificate Field: Field name for the certificate (default: certificate)
    • Private Key Field: Field name for the private key (default: private_key)
    • Certificate Chain Field: Field name for the chain (default: certificate_chain)
    • CA Certificate Field: Field name for the root CA (default: ca_certificate)
Certificates are stored as JSON secrets:
{
  "certificate": "-----BEGIN CERTIFICATE-----\n...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...",
  "certificate_chain": "-----BEGIN CERTIFICATE-----\n...",
  "ca_certificate": "-----BEGIN CERTIFICATE-----\n..."
}
  1. Configure the Details:
    • Name: The name of your sync (slug-friendly).
    • Description: Optional description.
  2. Select which certificates should be synced.
  3. Review and click Create Sync.

Certificate Management

The AWS Secrets Manager Certificate Sync provides:
  • Automatic Deployment: Deploy certificates in Infisical to AWS Secrets Manager as JSON secrets with customizable field names.
  • Certificate Updates: Update certificates in AWS Secrets Manager when renewals occur.
  • Expiration Handling: Optionally remove expired certificates from AWS Secrets Manager (if enabled).
  • Format Preservation: Maintain certificate format during sync operations.
  • Field Customization: Map certificate data to custom field names that match your application requirements.
  • CA Certificate Support: Include CA certificates in secrets for complete certificate chain management.
  • KMS Encryption: Optionally use custom KMS keys for secret encryption.
  • Regional Deployment: Deploy secrets to specific AWS regions.
AWS Secrets Manager Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.

Manual Certificate Sync

You can manually trigger certificate synchronization to AWS Secrets Manager using the sync certificates functionality. This is useful for:
  • Initial setup when you have existing certificates to deploy
  • One-time sync of specific certificates
  • Testing certificate sync configurations
  • Force sync after making changes
To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

Secret Naming Constraints

AWS Secrets Manager has specific naming requirements for secrets:
  • Allowed Characters: Letters, numbers, hyphens (-), and underscores (_) only
  • Length: 1-512 characters

FAQ

AWS Secrets Manager does not support importing certificates back into Infisical due to the nature of AWS Secrets Manager where certificates are stored as JSON secrets rather than managed certificate objects.

What’s Next?

AWS Certificate Manager

Import certificates into ACM for AWS services.

Auto-Renewal

Enable automatic certificate renewal and syncing.

Alerting

Get notified about certificate lifecycle events.

Other Sync Destinations

View all supported sync destinations.