Integration Architecture
IAM User
AWS Identity
Access Keys
Secret Server
Delinea
Vault Link
AWS Secrets
Manager
Manager
External Vault
Module Overview โ Click to Jump
Module 01
Create IAM User & Access Keys
Set up the AWS identity that Secret Server will use to authenticate.
Module 02
Create Secret in Secret Server
Store the AWS IAM credentials inside Delinea Secret Server.
Module 03
Create AWS Vault Link
Connect Secret Server to the AWS Secrets Manager external vault.
Module 04
Create IAM Group
Organize IAM permissions by creating a dedicated user group.
Module 05
Configure Custom Policies
Fine-tune IAM permissions for precise secrets access control.
Module 06
Sync from Delinea
Push, pull, and sync secrets between Delinea and AWS.
Before you begin
Ensure you have administrator access to both your AWS account (IAM Dashboard) and Delinea Secret Server. All steps must be completed in sequence.
1
Navigate to IAM Dashboard & Users
AWS Console โ IAM โ Users
Log in to the AWS Management Console and navigate to the IAM Dashboard.
In the left menu under Access management, click
Users. The Users page appears.Click the Create User button. The Specify User Details page of the Create User wizard appears.
Type a descriptive
User Name in the text box (e.g., delinea-secrets-sync).Click the Next button to proceed to the Set Permissions page.
2
Assign User to a Group
Set Permissions โ Group Assignment
On the Set Permissions page, click an existing group or click Create Group to create a new one. (See Module 04 for group creation details.)
Click the checkbox next to the group you want to add this user to.
Click Next. The Review and Create page appears.
Verify all user details are correct, then click the Create User button. The new user now appears in the Users table.
3
Generate Access Keys
User Detail Page โ Security Credentials
Click on the new user name in the table to open the user's detail page.
In the Summary section on the right, click the Create Access Key link. The Create Access Key page appears.
Click to select the Third-Party Service use case button.
Click Next. On the Set Description Tag page, type
Secret Server External Vault Integration in the Description Tag Value text box.Click Create Access Key. The Retrieve Access Keys page appears.
Record Your Credentials Now
AWS will only show your Secret Access Key once. Copy and securely store both the Access Key ID and Secret Access Key โ you'll need them in Module 02.
VALUES TO RECORD
Access Key ID: AKIA__________________Secret Access Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Username: delinea-secrets-sync
Knowledge Check
When creating access keys for a third-party integration, which use case should you select?
โ Correct! "Third-Party Service" is the right use case for Delinea Secret Server connecting to AWS.
โ Not quite. Select Third-Party Service since Delinea Secret Server is an external application integrating with AWS.
1
Navigate to All Secrets & Create New
Secret Server โ All Secrets โ Create Secret
Log into Delinea Secret Server and navigate to the All Secrets page.
Click the Create Secret button.
In the Choose a Secret Template dropdown, select Amazon IAM Key.
Click the Create Secret button. The Create New Secrets (details) page appears.
2
Fill in Credential Details
Enter the AWS credentials recorded from Module 01
Fill in the required fields (marked with asterisks):
Username: Enter the IAM username created in Module 01.
Access Key: Paste the Access Key ID copied in Module 01.
Secret Access Key: Paste the Secret Access Key copied in Module 01.
Enter any descriptive name in the Secret Name text box (e.g.,
AWS-SecretsManager-Integration).Click the Create Secret button. The new secret appears in the All Secrets list.
Secret Template
The Amazon IAM Key template is pre-configured with the correct fields for AWS integration. Always use this template when storing IAM credentials.
Knowledge Check
Which Secret Server template should you use when storing AWS IAM credentials?
โ Correct! The Amazon IAM Key template is purpose-built for storing AWS access keys.
โ Incorrect. Use the Amazon IAM Key template โ it has the correct pre-defined fields for username, access key, and secret access key.
1
Open External Secrets & Create Link
Secret Server โ External Secrets โ Create
From the secrets menu, click External Secrets.
Click the Enabled checkbox if you want to push changes to the vault; leave it unchecked if you only want to pull.
Click the Create button. The Create External Vault Link page appears.
In the Type dropdown, select
AWS Secret Manager.Click the link for the secret you created in Module 02 to associate it with this vault connection.
2
Configure Vault Input Type
Automatic List vs Manual Entry
๐ค Automatic List
AWS automatically presents all available vaults. Input Type is set to Automatic List. Once connected, a green Connected indicator appears. Check the boxes for desired vaults.
โ๏ธ Manual Entry
Set Input Type to Manual Entry. Enter the exact vault Name (must match AWS exactly), enter a Display Name, select the region, then click Save.
Manual Entry Precision
When using Manual Entry, the vault Name field must exactly match the name of the key vault in AWS โ including capitalization and any special characters.
Knowledge Check
In the Create External Vault Link page, what indicates a successful AWS connection in Automatic List mode?
โ Correct! A green Connected indicator appears at the top once the AWS key vault account successfully connects.
โ Incorrect. Look for a green Connected indicator at the top of the page after the AWS account successfully connects.
1
Create User Group in IAM
IAM โ User Groups โ Create Group
Return to the IAM Dashboard.
Under Access Management in the left menu, click
User Groups. The User Groups page appears.Click the Create Group button. The Name the Group page appears.
Type a descriptive name in the User Group Name text box (e.g.,
delinea-secrets-group).Add the credential secret if needed.
2
Attach Permissions Policies
Attach SecretsManagerReadWrite or custom policy
In the Attach Permissions Policies table, locate and select the SecretsManagerReadWrite policy. This default policy should suffice for most integrations.
If more granular control is needed, search for and add additional policies. See Module 05 for creating custom policies.
Click the Create User Group button to finalize.
Principle of Least Privilege
For production environments, consider using a custom policy (Module 05) rather than the broad
SecretsManagerReadWrite policy, to limit access to only the required actions.
1
Navigate to Policies & Create New
IAM โ Policies โ Create Policy
From the IAM Dashboard, click
Policies in the left menu under Access management.Click Create Policy. The Specify Permissions page appears.
Click the Filter by Type dropdown and select
Secrets Manager.Select Actions Allowed to view the Access Levels section.
2
Select Required Permissions
Choose the minimum required actions for the integration
| Access Level | Required Actions | Type |
|---|---|---|
| List | ListSecrets |
LIST |
| Read |
DescribeSecretGetSecretValueListSecretVersionIds
|
READ READ READ |
| Write |
CreateSecretPutSecretValueUpdateSecretVersionStage
|
WRITE WRITE WRITE |
3
Configure Resources & Finalize Policy
Set resource scope and create the policy
Expand the Resources section.
Click the All selection button to allow management of all secrets in AWS. For a more restricted scope, select Specific and define the exact secrets.
Click Next. The Review and Create page appears.
Complete the remaining policy details (name, description).
Click Create Policy to finalize.
Knowledge Check
Which three actions fall under the "Read" access level for the custom Secrets Manager policy?
โ Correct! The Read actions are DescribeSecret, GetSecretValue, and ListSecretVersionIds.
โ Incorrect. The three Read actions are DescribeSecret, GetSecretValue, and ListSecretVersionIds.
1
Navigate to External Vaults
Secret Server โ External Secrets โ External Vaults
Log in to Secret Server.
Click on External Secrets in the navigation menu.
Select External Vaults. Your configured AWS vaults will appear in the list.
2
Perform Sync Operations
Hover over vault to reveal sync options
โฌ๏ธ
Pull
Retrieve secrets from AWS into Secret Server
โฌ๏ธ
Push
Send secrets from Secret Server to AWS
๐
Sync
Bidirectional synchronization of all secrets
Hover over each vault in the list to reveal the Pull, Push, or Sync action buttons.
Click the desired sync operation. The synchronization will begin immediately.
Click on the vault name to view the synced secrets under the External Secrets section and verify the sync completed successfully.
Final Knowledge Check
How do you access the Pull, Push, or Sync options for an external vault in Delinea Secret Server?
โ Correct! Hovering over each vault reveals the pull, push, and sync options inline.
โ Incorrect. Hover over each vault in the External Vaults list โ the sync options appear on hover.
๐
Training Complete!
You've successfully completed the AWS Secrets Manager ร Delinea integration training guide. You're now equipped to configure and manage external secrets at scale.
Training Summary
Guide
AWS Secrets Manager ร Delinea
Modules Covered
0 / 6
Topics Covered
IAM Users & Access Keys
Secret Server Secrets
External Vault Links
IAM Groups
Custom IAM Policies
Secret Sync Operations