× AWS Secrets
Manager
A comprehensive technical guide for hybrid organizations synchronizing External Secrets between Delinea Secret Server and AWS Secrets Manager. Covers External Vault connector setup, secret template mapping, bidirectional sync rules, conflict resolution, and the shared security model for cross-platform privileged credential delivery.
External Vault Integration with AWS Secrets Manager
In this integration model, AWS Secrets Manager functions as an External Vault — a cloud-native credential store that receives and optionally originates External Secrets synchronized from Secret Server. Secret Server remains the authoritative System of Record for all privileged access governance: policy enforcement, rotation scheduling, dependency tracking, check-out workflows, and compliance audit history.
The AWS Secrets Manager Sync Connector (ASM Sync) bridges these two systems. It handles field-level translation between Secret Server's structured template model and AWS Secrets Manager's JSON key-value format, maintains sync version state using secret tags, enforces conflict resolution policies, and produces correlated audit events across both platforms.
System of Record
RPC · Policy · Audit
STS AssumeRole
IAM Token
Template Mapper
Conflict Engine
Secrets Manager
Resource Policy
External Secrets
Native AWS Delivery
External Vault refers to AWS Secrets Manager as registered under Secret Server's Admin → External Vault Connectors panel. An External Secret is any individual secret whose live value is stored in or synchronized with that External Vault — Secret Server retains the authoritative policy record, while the External Vault holds a governed replica for cloud workload consumption.
Prerequisites
All prerequisites must be confirmed across both platforms before activating the External Vault connector. Unvalidated prerequisites account for the majority of failed initial External Secret syncs.
- Secret Server 11.4+ with Professional or Platinum license
- AWS Secrets Manager Sync Connector add-on installed (ASM Sync v4.1+)
- Distributed Engine deployed and assigned to the AWS-accessible engine pool
- Service account holds
Administer External Vault Connectorsrole permission - Audit logging enabled for all External Secret access and sync events
- TLS certificate installed on Distributed Engine nodes (trusted CA, not self-signed)
- AWS Secrets Manager enabled in target region(s)
- IAM role
SecretServer-ExternalVault-Rolecreated with least-privilege permissions - Trust policy on IAM role allows
sts:AssumeRolefrom the engine's instance profile or static identity - Secrets Manager resource policy scoped to
arn:aws:secretsmanager:*:*:secret:ss-ext/*prefix - AWS KMS Customer Managed Key (CMK) created for External Secret envelope encryption
- CloudTrail enabled with S3 delivery and object-lock for tamper-evident audit logs
- Service Quota increase requested if External Secret count exceeds regional defaults
- Outbound HTTPS/443 from Distributed Engine to
secretsmanager.<region>.amazonaws.com - Outbound HTTPS/443 to
sts.amazonaws.comforAssumeRoletoken acquisition - Outbound HTTPS/443 to
kms.<region>.amazonaws.comfor envelope key operations - VPC Endpoint for Secrets Manager deployed (recommended — removes public internet traversal)
- If using VPC Endpoint: private DNS enabled, Route 53 resolver rules configured
- Security Group on engine allows outbound 443 to AWS service CIDR ranges for region
Configuring the AWS Secrets Manager External Vault Connector
External Vault connector setup follows three phases: IAM identity and trust relationship creation in AWS, permissions policy attachment scoped to External Secret resources, then registration and activation inside Secret Server's External Vault Connectors panel.
Phase 1 — IAM Role & Trust Policy
Create the IAM role that the connector will assume via STS. The trust policy must include a mandatory ExternalId condition — this prevents confused deputy attacks from other AWS accounts.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:role/SS-DistributedEngine-Profile"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "SS_EXT_VAULT_TOKEN_SET_IN_UI" // generated in SS connector UI
}
}
}]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExternalSecretsCRUD",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets",
"secretsmanager:TagResource",
"secretsmanager:RestoreSecret" // for conflict recovery
],
"Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:ss-ext/*"
},
{
"Sid": "EnvelopeEncryption",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:REGION:ACCOUNT:key/CMK_KEY_ID"
}
]
}
Phase 2 — External Vault Registration in Secret Server
Admin → Configuration → External Vault Connectors → Add New. Select AWS Secrets Manager from the connector type dropdown. Enter a descriptive name such as asm-prod-us-east-1 to identify the External Vault instance.SecretServer-ExternalVault-Role. Copy the auto-generated External ID token from the UI and paste it into your IAM trust policy's ExternalId condition. For EC2-hosted Distributed Engines, select Use Instance Profile — leave the Access Key fields empty to avoid static credential sprawl.ss-ext/<prefix>/<ss-id>. Enable Auto-Tag External Secrets so sync metadata tags are injected on every write.ListSecretsRequest.nextToken pagination — this dramatically reduces API quota consumption for large External Vault inventories.AssumeRole, KMS DescribeKey, and Secrets Manager ListSecrets. All three must pass. Click Activate — the connector enters Initial External Secret Sync state and begins processing all in-scope templates.If the Distributed Engine runs on EC2, ECS Fargate, or Lambda, always use the instance/task/execution role profile instead of static IAM access keys. Static credentials stored in the External Vault connector configuration represent a critical credential sprawl risk — you would be using Secret Server to store the credential that accesses your External Vault.
Mapping Secret Templates to External Secret Types
Secret Server organizes credentials in typed Secret Templates with named fields and field-level metadata. AWS Secrets Manager stores External Secrets as flat JSON key-value documents (or plaintext strings). The External Vault Template Mapper serializes SS template fields into structured JSON for ASM writes and deserializes them on pull operations — handling type coercion, field aliasing, and sensitive field classification.
Built-In External Secret Template Mappings
username, password, domainusername, password, private_keyengine, host, port, username, passwordaws_access_key_id, aws_secret_access_keyurl, username, passwordengine, host, port, dbname, username, passwordTemplates marked → PUSH are push-only because Secret Server maintains canonical metadata — rotation history, expiry timestamps, dependency graphs — with no equivalent representation in AWS Secrets Manager. AWS IAM Access Key secrets are push-only for an additional reason: SS's RPC is the authoritative rotation engine and AWS Secrets Manager should never originate a new key pair.
Custom External Vault Template Map Definition
# External Vault Template Map registered under Admin → External Vault → Template Maps external_vault_template_maps: - ss_template: "Oracle Service Account" external_vault_connector: "asm-prod-us-east-1" external_secret_prefix: "oracle" # → ss-ext/oracle/{ss-id} sync_direction: bidirectional secret_string_format: json # json | plaintext kms_key_override: "arn:aws:kms:us-east-1:123:key/oracle-cmk" field_map: - ss_field: "Username" asm_key: "username" sensitive: false - ss_field: "Password" asm_key: "password" sensitive: true # SS wins on conflict - ss_field: "Server" asm_key: "host" sensitive: false # ASM wins on conflict - ss_field: "Port" asm_key: "port" type_coerce: string # ASM stores all values as strings - ss_field: "Database" asm_key: "dbname" sensitive: false external_secret_tags: ss-managed: "true" # mandatory pull filter tag ss-template: "oracle-svc-account" environment: "production" data-classification: "confidential"
Use the ss-ext/<template-type>/<ss-secret-id> path pattern for all External Secrets. This enables IAM resource-based policies scoped to ss-ext/* and lets AWS teams navigate secrets without needing Secret Server access. Secrets Manager supports a 512-character name limit — avoid encoding full folder paths in the name; use the ss-folder-path tag instead.
Bidirectional External Secret Synchronization Rules
The External Vault sync engine applies a deterministic, version-vector–based rule set governing when, what, and in which direction External Secrets are synchronized. Understanding these rules is essential for predicting system behavior under concurrent modification or network failure scenarios.
External Secrets are pushed from Secret Server to AWS Secrets Manager when:
- A secret is created or any mapped field is modified in Secret Server (event-driven webhook)
- A Remote Password Change (RPC) rotation completes and is committed locally in SS
- A secret is moved into a folder governed by an External Vault sync scope rule
- A scheduled full-sync interval fires and the SS version counter is ahead of the stored
ss-sync-versiontag in ASM - An operator triggers a manual push from
Admin → External Vault → Force Push All
Only fields declared in the External Vault Template Map are pushed. Unmapped fields — notes, custom metadata, check-out history, dependency lists — are never written to the External Vault. Sync state tags (ss-managed, ss-sync-version, ss-last-synced) are always refreshed on every push cycle, even if field values are unchanged.
External Secrets are pulled from AWS Secrets Manager into Secret Server when:
- An Amazon EventBridge rule delivers a
SecretVersionCreatedevent to the connector webhook (near real-time pull) - The delta sync poll detects an External Secret whose ASM
LastChangedDateis newer thanss-last-syncedtag - An operator triggers a manual pull from
Admin → External Vault → Import External Secrets
The pull engine only imports External Secrets tagged ss-managed: true. Any Secrets Manager secret without this tag is completely invisible to the pull engine — preventing accidental import of unrelated AWS application secrets into Secret Server. This tag is always injected automatically on push; never manually remove it from a managed External Secret.
The connector tracks External Secret version state using ASM's native version IDs combined with SS-managed tags injected on every push:
# AWS Secrets Manager tags on every External Secret managed by SS ss-managed: "true" # pull filter gate ss-secret-id: "7841" # SS internal ID ss-template: "oracle-svc-account" ss-folder-path: "Production/Databases/Oracle" ss-sync-version: "127" # SS version counter; conflict detection key ss-last-synced: "2026-04-02T16:44:00Z" ss-connector-id: "asm-prod-us-east-1" ss-correlation-id: "a3f9c2d1-sync" # cross-platform audit correlation
On each pull cycle, the connector compares the External Secret's current ASM version ID against the last-known version stored in SS's sync state database. If ASM's version is newer and the ss-sync-version tag matches SS's current version, it's a clean pull. If both have diverged, conflict detection logic engages before any write.
# /etc/ss-engine/asm-ext-vault-throttle.ini [aws_secrets_manager] max_requests_per_second = 50 # ASM default service quota (request/s per region) burst_capacity = 150 # token bucket burst size retry_policy = "exponential_jitter" retry_max_attempts = 5 retry_base_delay_ms = 1000 retry_max_delay_ms = 30000 [sync_batching] external_secrets_per_batch = 20 batch_interval_ms = 500 parallel_template_workers = 4 # concurrent External Vault template map workers list_secrets_page_size = 100 # ASM ListSecrets max per page delta_sync_enabled = true [kms] data_key_cache_ttl_secs = 300 # reuse envelope DEK per External Secret for 5 min max_decrypt_per_second = 5000 # KMS CryptographicOperations default quota
Handling External Secret Sync Conflicts
A sync conflict arises when an External Secret is modified in both Secret Server and AWS Secrets Manager between polling cycles. The connector detects conflicts by comparing the ASM secret's ss-sync-version tag value against Secret Server's current internal version counter before any write is committed. Click each scenario to expand the resolution strategy.
Scenario: Secret Server's RPC engine rotates a database password and pushes the new External Secret value to ASM. Simultaneously, an AWS Lambda function using Secrets Manager's native rotation feature independently rotates the same secret between sync cycles.
Detection: Connector finds ss-sync-version tag on the ASM External Secret does not match the last successful sync version AND Secret Server's internal version counter has also incremented — a true write-write conflict on sensitive fields.
Default Resolution (SecretServerWins): The SS-rotated credential is pushed to ASM as the current value. The ASM-originated rotation is preserved as a prior version in Secrets Manager's automatic version history (AWSPREVIOUS stage) and tagged ss-conflict-archived: true for audit. A SYNC_CONFLICT_ROTATION event is emitted to CloudWatch and SS audit log.
Any AWS workload that retrieved the ASM-rotated External Secret during the conflict window may hold a stale credential until its application-layer cache expires. Mandate a maximum 60-second cache TTL on all consumers of External Secrets managed by this connector. Use Secrets Manager's built-in rotation notification via EventBridge to trigger immediate cache invalidation where possible.
Scenario: An infrastructure team updates the host field in the ASM External Secret (database server migrated to new host) while Secret Server's RPC rotates the password field. Both modifications are valid and touch different fields.
Detection: Field-level diff reveals non-overlapping change sets — no single mapped field was modified by both systems simultaneously.
Resolution (Smart Merge): Fields classified sensitive: true in the template map (passwords, private keys, tokens, API keys) are owned by Secret Server. Fields classified sensitive: false (host, port, database name, URL) can be updated by ASM. The merged External Secret is written to both systems atomically. A SYNC_MERGE_SUCCESS event is logged.
conflict_resolution: default_authority: secret_server merge_enabled: true sensitive_field_winner: secret_server # password, private_key, token infra_field_winner: aws_secrets_manager # host, port, dbname, url on_overlapping_sensitive: secret_server_wins on_unresolvable: quarantine_and_alert alert_target: "cloudwatch-alarm:ext-vault-conflict"
Scenario: An ASM External Secret is deleted (by a resource cleanup script, Terraform destroy, or operator error) while its corresponding SS secret remains active.
Detection: Connector receives a ResourceNotFoundException (404) from ASM on the next sync cycle, or detects the secret in ASM's Deleted Secrets list (if still within the 7–30 day recovery window).
Resolution: Secret Server's existence is authoritative. If the secret is within the soft-delete recovery window, the connector calls RestoreSecret via the ASM API, then overwrites the recovered External Secret with the current SS value. If the recovery window has expired, the connector creates a new External Secret with the same path prefix and current SS value. In both cases, a SYNC_CONFLICT_RESTORED alert is sent to the External Vault admin queue and CloudWatch.
Scenario: A service account is decommissioned and its secret deleted from Secret Server. The corresponding External Secret remains in AWS Secrets Manager and may still be actively referenced by Lambda functions or ECS tasks.
Resolution: The connector does not automatically delete the External Secret from ASM. Instead, it tags the ASM secret with ss-decommissioned: true and ss-deleted-at: <ISO8601>, and transitions it to a configurable quarantine prefix (e.g., ss-ext/decommissioned/). Operators must explicitly confirm deletion through Admin → External Vault → Decommissioned Secrets. This staged decommission protects against data loss from accidental SS deletions or drift between application teams.
Scenario: AWS teams apply additional tags to External Secrets in ASM (e.g., cost-center, data-classification, team-owner) for AWS Cost Explorer or compliance purposes. These tags were not present at sync time.
Resolution: The connector uses a tag namespace ownership model. All tags prefixed with ss- are owned and managed exclusively by Secret Server — the connector will overwrite these on every sync cycle. All other tags are AWS-owned and are preserved unchanged during sync operations. This enables parallel tag governance: Secret Server controls lifecycle metadata, AWS teams control resource classification tags.
Security Model for External Secret Sharing
The External Vault integration's security model ensures that External Secret values never traverse the network unencrypted, access is governed by least-privilege identities on both platforms, and every sync operation generates tamper-evident, correlated audit records across both systems of record.
kms:GenerateDataKey. The DEK is wrapped by the CMK and stored alongside the ciphertext — neither the connector nor Secret Server ever holds a plaintext DEK at rest. KMS key usage is logged to CloudTrail for every External Secret access event.AssumeRole with a mandatory ExternalId condition. Temporary session credentials have a maximum 1-hour TTL and are never persisted. The IAM role follows least-privilege, scoped to the ss-ext/* External Secret name prefix. No IAM user access keys are used — eliminating the risk of long-lived static credential exposure.ss-correlation-id UUID is injected into the ASM API request's User-Agent header and stored as a tag on the External Secret, enabling cross-platform incident correlation queries across both audit systems without manual matching.Shared Responsibility Matrix
┌──────────────────────────────────┬─────────────────────┬────────────────────────┐ │ Responsibility Domain │ Secret Server │ AWS Secrets Manager │ ├──────────────────────────────────┼──────────────────────┼────────────────────────┤ │ Credential lifecycle (RPC) │ ✓ Owner │ Governed replica │ │ Access policy & check-out │ ✓ Owner │ IAM complement │ │ Native AWS service delivery │ Via External Secret │ ✓ Owner │ │ KMS envelope key custody │ AES-256 at-rest SS │ ✓ Owner (FIPS CMK) │ │ Rotation scheduling (RPC) │ ✓ Owner │ Triggered by push │ │ Conflict resolution authority │ ✓ Configurable │ Field-level override │ │ PAM audit trail │ ✓ Owner │ Correlated via tag │ │ API audit trail (CloudTrail) │ Correlated via ID │ ✓ Owner │ └──────────────────────────────────┴──────────────────────┴────────────────────────┘
Knowledge Check
Five questions covering core integration concepts. Complete all questions before the deployment checklist.
In this integration, what is the correct term for AWS Secrets Manager as configured in Secret Server's connector panel?
Which tag on an AWS Secrets Manager External Secret is mandatory for the connector's pull engine to include it in synchronization?
ss-sync-enabled: truess-secret-id: <id>ss-managed: trueexternal-vault-managed: truess-managed: true are visible to the pull engine. This sentinel tag is automatically injected on every push and prevents accidental import of unmanaged AWS application secrets into Secret Server.When configuring the External Vault connector on an EC2-hosted Distributed Engine, why should you select "Use Instance Profile" instead of providing IAM Access Keys?
A field-level conflict is detected: ASM updated the host field (server migration); Secret Server rotated the password. Both are valid, non-overlapping changes. What happens?
host change is discardedpassword (sensitive: true); ASM wins host (sensitive: false) — merged value written to both systemssensitive: true fields (passwords, keys, tokens); ASM can own sensitive: false infrastructure fields (host, port, database). The merged External Secret is atomically written to both systems and a SYNC_MERGE_SUCCESS event is logged.An External Secret in ASM is accidentally deleted by a Terraform destroy. The corresponding secret is still active in Secret Server and within the 30-day ASM recovery window. What does the connector do?
RestoreSecret to recover the deleted External Secret, then overwrites it with the current SS value; emits a SYNC_CONFLICT_RESTORED alertRestoreSecret API (available within the recovery window), syncs the current SS value onto it, and sends a conflict alert to the External Vault admin queue and CloudWatch for operator awareness.Deployment Checklist
Complete every item before promoting the External Vault connector to production. Completion is tracked for this session.
AWS Infrastructure Hardening
- IAM trust policy has
sts:ExternalIdcondition set and matches SS connector UI token - IAM permissions policy scoped exclusively to
ss-ext/*resource prefix - CMK key policy restricts
kms:Decryptandkms:GenerateDataKeyto the External Vault connector role only - VPC Endpoint deployed for Secrets Manager; public ASM endpoint disabled via resource policy
- Secrets Manager resource policy on
ss-ext/*denies all principals except External Vault connector role - CloudTrail enabled with S3 object lock for immutable External Secret access audit logs
- EventBridge rule configured to deliver
SecretVersionCreatedevents to connector webhook (near-RT pull) - Service quota increase confirmed for Secrets Manager API requests/second if > 40 External Secrets
Secret Server Configuration
- External Vault connector connection test passes all three probe checks (STS, KMS, ASM list)
- External Vault Template Maps validated for all in-scope templates in non-production environment
- External Secret prefix naming convention documented and applied consistently
- Pull filter verified:
ss-managed: truetag confirmed on test External Secrets post-push - Conflict resolution policy set (SecretServerWins) and approved by security team
- Distributed Engine pool assigned to the External Vault connector with AWS network access confirmed
Operational Readiness
- Runbook authored for manual conflict resolution and External Vault quarantine queue management
- CloudWatch alarms configured: sync failures, conflict events, KMS quota throttling, STS token errors
- Consumer application teams briefed: max External Secret cache TTL ≤ 60 seconds
- Cross-platform audit correlation query validated (CloudTrail + SS audit log via
ss-correlation-id) - Rollback procedure documented: disable connector, restore prior ASM version, repoint consumers
- External Vault connector health dashboard published to Security Operations team