AWS

AWS secrets store IAM credentials that allow your workloads to authenticate with AWS services. Use them to access S3, DynamoDB, SQS, or any other AWS service directly from your applications.

Use Cases

S3 Access: Read/write files to S3 buckets
Database Connections: Connect to RDS, DynamoDB, or ElastiCache
Message Queues: Send/receive messages from SQS or SNS
AWS SDK Integration: Any application using the AWS SDK
Cross-Account Access: Access resources in other AWS accounts via role assumption

Configuration Options

Field	Description	Required
`accessKey`	AWS Access Key ID (starts with `AKIA...`)	Yes
`secretKey`	AWS Secret Access Key	Yes
`roleArn`	IAM Role ARN to assume for cross-account access	No
`externalId`	External ID for role assumption (additional security)	No

For enhanced security, use role assumption with roleArn instead of long-lived access keys. This allows you to grant temporary, scoped access to AWS resources.

Create an AWS Secret

Console UI
CLI
Terraform
Pulumi

Navigate to Secrets

In the Console, navigate to Secrets and click New, or use the Create dropdown in the top-right corner and select Secret.

Enter basic information

Enter a Name and optional Description.

Select secret type

Select AWS as the secret type.

Configure credentials

Click Data in the left pane. Enter the Access Key and Secret Key. Optionally enter a Role ARN and External ID for role assumption.

Create the secret

Click Create.

Basic credentials:

cpln secret create-aws \
  --name aws-s3-access \
  --access-key AKIAIOSFODNN7EXAMPLE \
  --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
  --org my-org

With role assumption:

cpln secret create-aws \
  --name aws-cross-account \
  --access-key AKIAIOSFODNN7EXAMPLE \
  --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
  --role-arn arn:aws:iam::123456789012:role/CrossAccountRole \
  --external-id my-external-id \
  --org my-org

resource "cpln_secret" "aws_s3" {
  name        = "aws-s3-access"
  description = "AWS credentials for S3 access"

  aws {
    access_key = "AKIAIOSFODNN7EXAMPLE"
    secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  }
}

With role assumption:

resource "cpln_secret" "aws_cross_account" {
  name        = "aws-cross-account"
  description = "AWS credentials with role assumption"

  aws {
    access_key  = "AKIAIOSFODNN7EXAMPLE"
    secret_key  = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    role_arn    = "arn:aws:iam::123456789012:role/CrossAccountRole"
    external_id = "my-external-id"
  }
}

This example uses hardcoded credentials for testing. In production, use Terraform variables or integrate with AWS Secrets Manager.

TypeScript
Python
Go
C#

import * as cpln from "@pulumiverse/cpln";

const awsSecret = new cpln.Secret("aws-s3-access", {
  name: "aws-s3-access",
  description: "AWS credentials for S3 access",
  aws: {
    accessKey: "AKIAIOSFODNN7EXAMPLE",
    secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
    roleArn: "arn:aws:iam::123456789012:role/CrossAccountRole",
    externalId: "my-external-id",
  },
});

import pulumiverse_cpln as cpln

aws_secret = cpln.Secret("aws-s3-access",
    name="aws-s3-access",
    description="AWS credentials for S3 access",
    aws={
        "access_key": "AKIAIOSFODNN7EXAMPLE",
        "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "role_arn": "arn:aws:iam::123456789012:role/CrossAccountRole",
        "external_id": "my-external-id",
    })

package main

import (
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := cpln.NewSecret(ctx, "aws-s3-access", &cpln.SecretArgs{
            Name:        pulumi.String("aws-s3-access"),
            Description: pulumi.String("AWS credentials for S3 access"),
            Aws: &cpln.SecretAwsArgs{
                AccessKey:  pulumi.String("AKIAIOSFODNN7EXAMPLE"),
                SecretKey:  pulumi.String("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"),
                RoleArn:    pulumi.String("arn:aws:iam::123456789012:role/CrossAccountRole"),
                ExternalId: pulumi.String("my-external-id"),
            },
        })
        return err
    })
}

using Pulumi;
using Pulumiverse.Cpln;
using Pulumiverse.Cpln.Inputs;

return await Deployment.RunAsync(() =>
{
    var awsSecret = new Secret("aws-s3-access", new SecretArgs
    {
        Name = "aws-s3-access",
        Description = "AWS credentials for S3 access",
        Aws = new SecretAwsArgs
        {
            AccessKey = "AKIAIOSFODNN7EXAMPLE",
            SecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
            RoleArn = "arn:aws:iam::123456789012:role/CrossAccountRole",
            ExternalId = "my-external-id",
        },
    });
});

Best Practices

Use least-privilege IAM policies

Create IAM users or roles with only the permissions your workload needs. Avoid using root credentials or overly permissive policies.

Rotate credentials regularly

Set up a rotation schedule for your AWS access keys. Control Plane makes it easy to update secrets without redeploying workloads.

Prefer role assumption

When accessing cross-account resources, use roleArn with temporary credentials instead of sharing long-lived access keys.

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

Use Cases

Configuration Options

Create an AWS Secret

Best Practices

Next Steps

Using Secrets in Workloads

AWS Cloud Account

How-to Guides

CLI Configuration

Integrations

Configure Resources

Create Resources

Deployment

GitOps

Images

Native Networking

Observability

Workload Access

​Use Cases

​Configuration Options

​Create an AWS Secret

​Best Practices

​Next Steps

Using Secrets in Workloads

AWS Cloud Account

Use Cases

Configuration Options

Create an AWS Secret

Best Practices

Next Steps