> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS

> Create an AWS secret to store IAM credentials for authenticating workloads with AWS services like S3, DynamoDB, and SQS.

AWS secrets store IAM credentials that allow your workloads to authenticate with AWS services. Use them to access S3, DynamoDB, SQS, or any other AWS service directly from your applications.

## Use Cases

* **S3 Access**: Read/write files to S3 buckets
* **Database Connections**: Connect to RDS, DynamoDB, or ElastiCache
* **Message Queues**: Send/receive messages from SQS or SNS
* **AWS SDK Integration**: Any application using the AWS SDK
* **Cross-Account Access**: Access resources in other AWS accounts via role assumption

## Configuration Options

| Field        | Description                                           | Required |
| :----------- | :---------------------------------------------------- | :------- |
| `accessKey`  | AWS Access Key ID (starts with `AKIA...`)             | Yes      |
| `secretKey`  | AWS Secret Access Key                                 | Yes      |
| `roleArn`    | IAM Role ARN to assume for cross-account access       | No       |
| `externalId` | External ID for role assumption (additional security) | No       |

<Tip>
  For enhanced security, use role assumption with `roleArn` instead of long-lived access keys. This allows you to grant temporary, scoped access to AWS resources.
</Tip>

***

## Create an AWS Secret

<Tabs>
  <Tab title="Console UI">
    <Steps>
      <Step title="Navigate to Secrets">
        In the Console, navigate to **Secrets** and click **New**, or use the **Create** dropdown in the top-right corner and select **Secret**.
      </Step>

      <Step title="Enter basic information">
        Enter a **Name** and optional **Description**.
      </Step>

      <Step title="Select secret type">
        Select **AWS** as the secret type.
      </Step>

      <Step title="Configure credentials">
        Click **Data** in the left pane. Enter the **Access Key** and **Secret Key**. Optionally enter a **Role ARN** and **External ID** for role assumption.
      </Step>

      <Step title="Create the secret">
        Click **Create**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI">
    Basic credentials:

    ```bash theme={null}
    cpln secret create-aws \
      --name aws-s3-access \
      --access-key AKIAIOSFODNN7EXAMPLE \
      --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
      --org my-org
    ```

    With role assumption:

    ```bash theme={null}
    cpln secret create-aws \
      --name aws-cross-account \
      --access-key AKIAIOSFODNN7EXAMPLE \
      --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
      --role-arn arn:aws:iam::123456789012:role/CrossAccountRole \
      --external-id my-external-id \
      --org my-org
    ```
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "cpln_secret" "aws_s3" {
      name        = "aws-s3-access"
      description = "AWS credentials for S3 access"

      aws {
        access_key = "AKIAIOSFODNN7EXAMPLE"
        secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
      }
    }
    ```

    With role assumption:

    ```hcl theme={null}
    resource "cpln_secret" "aws_cross_account" {
      name        = "aws-cross-account"
      description = "AWS credentials with role assumption"

      aws {
        access_key  = "AKIAIOSFODNN7EXAMPLE"
        secret_key  = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
        role_arn    = "arn:aws:iam::123456789012:role/CrossAccountRole"
        external_id = "my-external-id"
      }
    }
    ```

    <Warning>
      This example uses hardcoded credentials for testing. In production, use Terraform variables or integrate with AWS Secrets Manager.
    </Warning>
  </Tab>

  <Tab title="Pulumi">
    <Tabs>
      <Tab title="TypeScript">
        ```typescript theme={null}
        import * as cpln from "@pulumiverse/cpln";

        const awsSecret = new cpln.Secret("aws-s3-access", {
          name: "aws-s3-access",
          description: "AWS credentials for S3 access",
          aws: {
            accessKey: "AKIAIOSFODNN7EXAMPLE",
            secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
            roleArn: "arn:aws:iam::123456789012:role/CrossAccountRole",
            externalId: "my-external-id",
          },
        });
        ```
      </Tab>

      <Tab title="Python">
        ```python theme={null}
        import pulumiverse_cpln as cpln

        aws_secret = cpln.Secret("aws-s3-access",
            name="aws-s3-access",
            description="AWS credentials for S3 access",
            aws={
                "access_key": "AKIAIOSFODNN7EXAMPLE",
                "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
                "role_arn": "arn:aws:iam::123456789012:role/CrossAccountRole",
                "external_id": "my-external-id",
            })
        ```
      </Tab>

      <Tab title="Go">
        ```go theme={null}
        package main

        import (
            "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
            "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
        )

        func main() {
            pulumi.Run(func(ctx *pulumi.Context) error {
                _, err := cpln.NewSecret(ctx, "aws-s3-access", &cpln.SecretArgs{
                    Name:        pulumi.String("aws-s3-access"),
                    Description: pulumi.String("AWS credentials for S3 access"),
                    Aws: &cpln.SecretAwsArgs{
                        AccessKey:  pulumi.String("AKIAIOSFODNN7EXAMPLE"),
                        SecretKey:  pulumi.String("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"),
                        RoleArn:    pulumi.String("arn:aws:iam::123456789012:role/CrossAccountRole"),
                        ExternalId: pulumi.String("my-external-id"),
                    },
                })
                return err
            })
        }
        ```
      </Tab>

      <Tab title="C#">
        ```csharp theme={null}
        using Pulumi;
        using Pulumiverse.Cpln;
        using Pulumiverse.Cpln.Inputs;

        return await Deployment.RunAsync(() =>
        {
            var awsSecret = new Secret("aws-s3-access", new SecretArgs
            {
                Name = "aws-s3-access",
                Description = "AWS credentials for S3 access",
                Aws = new SecretAwsArgs
                {
                    AccessKey = "AKIAIOSFODNN7EXAMPLE",
                    SecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
                    RoleArn = "arn:aws:iam::123456789012:role/CrossAccountRole",
                    ExternalId = "my-external-id",
                },
            });
        });
        ```
      </Tab>
    </Tabs>
  </Tab>
</Tabs>

***

## Best Practices

<AccordionGroup>
  <Accordion title="Use least-privilege IAM policies">
    Create IAM users or roles with only the permissions your workload needs. Avoid using root credentials or overly permissive policies.
  </Accordion>

  <Accordion title="Rotate credentials regularly">
    Set up a rotation schedule for your AWS access keys. Control Plane makes it easy to update secrets without redeploying workloads.
  </Accordion>

  <Accordion title="Prefer role assumption">
    When accessing cross-account resources, use `roleArn` with temporary credentials instead of sharing long-lived access keys.
  </Accordion>
</AccordionGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Using Secrets in Workloads" icon="cube" href="/guides/create-secret/overview#using-secrets-in-workloads">
    Learn how to grant access and inject secrets
  </Card>

  <Card title="AWS Cloud Account" icon="aws" href="/reference/cloudaccount#aws">
    Set up AWS cloud account integration
  </Card>
</CardGroup>
