AWS Connection

Infisical supports two methods for connecting to AWS.

Infisical will assume the provided role in your AWS account securely, without the need to share any credentials.

To connect your self-hosted Infisical instance with AWS, you need to set up an AWS IAM User account that can assume the configured AWS IAM Role.

If your instance is deployed on AWS, the aws-sdk will automatically retrieve the credentials. Ensure that you assign the provided permission policy to your deployed instance, such as ECS or EC2.

The following steps are for instances not deployed on AWS:

Create an IAM User

Navigate to Create IAM User in your AWS Console.

Create an Inline Policy

Attach the following inline permission policy to the IAM User to allow it to assume any IAM Roles:

{
    "Version": "2012-10-17",
    "Statement": [
{
    "Sid": "AllowAssumeAnyRole",
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::*:role/*"
}
    ]
}

Obtain the IAM User Credentials

Obtain the AWS access key ID and secret access key for your IAM User by navigating to IAM > Users > [Your User] > Security credentials > Access keys.

Set Up Connection Keys

Set the access key as INF_APP_CONNECTION_AWS_ACCESS_KEY_ID.
Set the secret key as INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY.

Create the Managing User IAM Role for Infisical

Navigate to the Create IAM Role page in your AWS Console.
Select AWS Account as the Trusted Entity Type.
Choose Another AWS Account and enter 381492033652 (Infisical AWS Account ID). This restricts the role to be assumed only by Infisical. If self-hosting, provide your AWS account number instead.
Optionally, enable Require external ID and enter your Organization ID to further enhance security.

Add Required Permissions to the IAM Role

Navigate to your IAM role permissions and click Create Inline Policy.

Depending on your use case, add one or more of the following policies to your IAM Role:

Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Secrets Manager:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSecretsManagerAccess",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:BatchGetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:UpdateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:DescribeSecret",
                "secretsmanager:TagResource",
                "secretsmanager:UntagResource",
                "kms:ListAliases", // if you need to specify the KMS key
                "kms:Encrypt", // if you need to specify the KMS key
                "kms:Decrypt", // if you need to specify the KMS key
                "kms:DescribeKey" // if you need to specify the KMS key
            ],
            "Resource": "*"
        }
    ]
}

If using a custom KMS key, be sure to add the IAM user or role as a key user.

Use the following custom policy to grant the minimum permissions required by Infisical to sync secrets to AWS Parameter Store:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSMAccess",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath",
                "ssm:DescribeParameters",
                "ssm:DeleteParameters",
                "ssm:ListTagsForResource", // if you need to add tags to secrets
                "ssm:AddTagsToResource", // if you need to add tags to secrets
                "ssm:RemoveTagsFromResource", // if you need to add tags to secrets
                "kms:ListAliases", // if you need to specify the KMS key
                "kms:Encrypt", // if you need to specify the KMS key
                "kms:Decrypt", // if you need to specify the KMS key
                "kms:DescribeKey" // if you need to specify the KMS key
            ],
            "Resource": "*"
        }
    ]
}

If using a custom KMS key, be sure to add the IAM user or role as a key user.

Copy the AWS IAM Role ARN

Setup AWS Connection in Infisical

Navigate to the App Connections tab on the Organization Settings page.
Select the AWS Connection option.
Select the Assume Role method option and provide the AWS IAM Role ARN obtained from the previous step and press Connect to AWS.
Your AWS Connection is now available for use.

Infrastructure Integrations

App Connections

Secret Syncs

Native Integrations

CI/CD Integrations

Framework Integrations

Build Tool Integrations