Skip to main content
The AWS Secrets Manager secret provider connects the Orchestrator to AWS Secrets Manager for cloud-native secrets management. This provider integrates natively with AWS IAM, making it ideal for Orchestrator deployments running on AWS infrastructure.
Console terminology: In the Maverics Console, Orchestrator instances and configuration delivery are managed through Deployments. When working directly with YAML, configuration is managed as files delivered via the -config flag or MAVERICS_CONFIG environment variable.

Overview

When configured with the AWS Secrets Manager provider, the Orchestrator authenticates to AWS using the default SDK credential chain and retrieves secrets by name. The provider supports IAM role-based authentication (recommended for EC2, ECS, and Lambda) as well as static access key credentials resolved from environment variables. Secret versioning is supported through AWS Secrets Manager’s built-in staging labels.

Use Cases

  • AWS-native secret storage — store and manage Orchestrator secrets alongside other AWS resources with native IAM integration
  • Automatic rotation — leverage AWS Secrets Manager’s built-in rotation capabilities to rotate credentials on a schedule
  • Cross-account secret sharing — share secrets across AWS accounts using resource-based policies

Configuration

Secret providers are not configured in YAML. They are set via the MAVERICS_SECRET_PROVIDER environment variable or the -secretProvider CLI flag.
Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Configuration via Environment Variable

export MAVERICS_SECRET_PROVIDER="awssecretsmanager://us-west-2/maverics-secrets"

Configuration via CLI Flag

maverics -config maverics.yaml -secretProvider "awssecretsmanager://us-west-2/maverics-secrets"

Referencing Secrets in YAML

Once the secret provider is configured, reference secrets in your Orchestrator YAML configuration using angle bracket syntax: 
connectors:
  - name: my-idp
    oauthClientSecret: <maverics.client_secret>

Configuration Reference

URL Structure

awssecretsmanager://{region}/{secret-name}

URL Parameters

ParameterRequiredDescription
RegionYesAWS region where the secret is stored (e.g., us-west-2, eu-west-1)
Secret nameYesName of the secret in AWS Secrets Manager (e.g., maverics-secrets)

AWS Credential Resolution

The provider uses the default AWS SDK credential chain to authenticate. Credentials are resolved in the following order:
  1. Environment variablesAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN
  2. Shared credentials file~/.aws/credentials
  3. IAM role for Amazon EC2 — instance profile credentials (recommended for EC2 deployments)
  4. IAM role for ECS tasks — task role credentials (recommended for ECS deployments)
  5. IAM role for EKS pods — IRSA credentials (recommended for EKS deployments)
For production deployments, use IAM roles instead of static access keys. IAM roles automatically rotate credentials and do not require secrets to be stored on the host.

Troubleshooting

“AccessDeniedException” when starting the Orchestrator Verify that the IAM role or access keys have the secretsmanager:GetSecretValue permission for the configured secret ARN. Check the IAM policy attached to the role or user. “ResourceNotFoundException” for the secret name Confirm the secret name and region are correct. The secret must exist in the specified AWS region. Secret names are case-sensitive. Secrets not resolving in YAML configuration Ensure the angle bracket syntax matches the key names stored in the AWS secret. The secret value in AWS Secrets Manager should be a JSON object where the keys correspond to the key names used in <namespace.key> references.

Secret Providers

Overview of all secret providers

Azure Key Vault

Cloud-native secrets for Azure deployments