Fivetran External Secret Management with AWS Secrets Manager Setup Guide
Follow our setup guide to connect your AWS Secrets Manager to Fivetran to use it as an External Secret Manager.
Prerequisites
To connect your AWS Secrets Manager to Fivetran, you need the following:
- An AWS account with permissions to manage IAM policies, roles, and Secrets Manager
- A Fivetran account with the Account Administrator role
Setup instructions
Select the tab for your deployment model:
Get the External ID from Fivetran
- In the Fivetran dashboard, go to Account Settings > General > External Secrets Managers.
- Click Create new secrets manager.
- Select SaaS Deployment and AWS Secrets Manager.
- Make a note of the pre-populated External ID value shown in the form. You will need it when creating the IAM role in AWS. Do not close this form.
Create an IAM policy in AWS
Log in to the AWS console and go to IAM > Policies.
Click Create policy.
Select Secrets Manager as the service.
Under Actions, select all List and Read permissions.
Under Resources, select All.
You can also choose Specific to restrict access to individual secrets. If you add more secrets later, you will need to update the policy.
Click Next, enter a Policy name, and click Create policy.
Create an IAM role in AWS
- In the AWS console, go to IAM > Roles and click Create role.
- Select AWS account as the trusted entity type.
- Select Another AWS account and enter Fivetran's AWS account ID:
834469178297. - Check Require External ID and enter the External ID you noted in Fivetran.
- Click Next.
- Search for the policy you created and select it. Click Next.
- Enter a Role name and click Create role.
- Click on the newly created role and make a note of the ARN. You will need it to configure Fivetran.
Configure External Secret Manager in Fivetran
- Return to the External Secret Manager creation form in Fivetran.
- Enter the following:
- Secret Manager Name: An internal name for this secrets manager in Fivetran.
- Role ARN: The ARN of the IAM role you created.
- Click Add secrets manager.
The External ID field is pre-populated by Fivetran and is read-only.
This guide assumes your HD agent is running on an AWS EC2 instance.
Create an IAM policy in AWS
Log in to the AWS console and go to IAM > Policies.
Click Create policy.
Select Secrets Manager as the service.
Under Actions, select all List and Read permissions.
Under Resources, select All.
You can also choose Specific to restrict access to individual secrets. If you add more secrets later, you will need to update the policy.
Click Next, enter a Policy name, and click Create policy.
Create an IAM role in AWS
- In the AWS console, go to IAM > Roles and click Create role.
- Select AWS service as the trusted entity type.
- Select EC2 for Service or use case and make sure the use case is set to EC2. Click Next.
- Search for the policy you created and select it. Click Next.
- Enter a Role name and click Create role.
- Click on the newly created role and make a note of the ARN. You will need it to configure Fivetran.
Attach the IAM role to your HD agent
- In the AWS console, go to EC2 > Instances.
- Find and select the instance running your HD agent.
- Click Actions > Security > Modify IAM role.
- Select the role you created and click Update IAM role.
Configure External Secret Manager in Fivetran
- In the Fivetran dashboard, go to Account Settings > General > External Secrets Managers.
- Click Create new secrets manager.
- Select Hybrid Deployment and AWS Secrets Manager.
- Provide the following:
- Secret Manager Name: An internal name for this secrets manager in Fivetran.
- Role ARN: The ARN of the IAM role you created.
- Click Add secrets manager.
Creating secrets in AWS Secrets Manager
Once your External Secret Manager is configured, you can create secrets by going to Secrets Manager > Store a new secret in the AWS console.
Fivetran supports a basic key-value secret model only. JSON secrets (the AWS default) are not supported. When creating a secret, choose Other type of secret as the secret type, click Plaintext in the key/value pairs section, and enter your secret value without any quotation marks or JSON braces.
When setting up a connection or destination that uses ESM, enter the secret name (as shown in AWS Secrets Manager) in the corresponding ESM key field in Fivetran.