Skip to main content
AWS Secrets Manager is a fully managed secrets store that enables you to rotate, manage, and retrieve credentials, API keys, and other secrets throughout their lifecycle. By connecting Prizm to AWS Secrets Manager, connector credentials are fetched dynamically at runtime — no plaintext secrets are stored in Prizm, and secret rotation is handled automatically by AWS.
AWS Secrets Manager integration configuration screen in Prizm

Prerequisites

  • AWS account with Secrets Manager enabled in your target region
  • Secrets created in AWS Secrets Manager containing your connector credentials
  • An IAM role or user with the secretsmanager:GetSecretValue permission on the relevant secrets
  • Prizm version 2.0 or later

Authentication Methods

MethodWhen to Use
IAM Role (Instance Profile)Prizm running on AWS (EC2, ECS, EKS). No static credentials — AWS assigns the role to the instance automatically. Recommended for AWS deployments.
IAM Access KeysPrizm running outside AWS. Provide an Access Key ID and Secret Access Key for an IAM user with Secrets Manager read permissions.

Connect Prizm to AWS Secrets Manager

  1. In Prizm, go to Settings → Integrations and click Add Integration.
  2. Select AWS Secrets Manager from the vault integrations list.
  3. Fill in the connection fields:
FieldDescription
AWS RegionThe AWS region where your secrets are stored (e.g., us-east-1)
Authentication MethodIAM Role or Access Keys
Access Key IDIAM user Access Key ID (Access Keys auth only)
Secret Access KeyIAM user Secret Access Key (Access Keys auth only)
KMS Key ARNOptional. If your secrets are encrypted with a customer-managed KMS key, provide the key ARN.
  1. Click Test Connection to verify Prizm can retrieve secrets.
  2. Click Save.

Using Secrets Manager Secrets in Connectors

Once connected, reference AWS Secrets Manager secrets in any Prizm connector credential field using the format: 
vault://aws/<secret-name>#<json-key>
AWS Secrets Manager stores secrets as JSON objects. Use the #<json-key> suffix to extract a specific field. Examples:
Connector FieldSecrets Manager Reference
Snowflake passwordvault://aws/prizm/snowflake#password
Redshift passwordvault://aws/prizm/redshift#password
API keyvault://aws/prizm/jira#api_token
Secret names in AWS Secrets Manager are case-sensitive. Ensure the name in your vault reference matches exactly, including any path prefixes (e.g., prizm/snowflake vs prizm-snowflake).

Automatic Secret Rotation

AWS Secrets Manager supports automatic rotation via Lambda rotation functions. When a secret is rotated:
  • AWS updates the secret value in Secrets Manager.
  • Prizm fetches the new value on the next connector job run — no configuration changes required.
Enable automatic rotation for database credentials in AWS Secrets Manager. Prizm supports the standard AWS rotation schedule and will always use the current secret version.

What’s Next

HashiCorp Vault Integration

Use HashiCorp Vault as an alternative secrets backend for Prizm.

Azure Key Vault Integration

Use Azure Key Vault as an alternative secrets backend for Prizm.