> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Secrets Manager

export const m_runner = "Maia runner";

export const maia = "Maia";

[AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) manages keys, secrets, and certificates in the AWS portal. Several functions in {maia} require access to these resources.

***

## Creating secrets in AWS Secrets Manager

<Note>
  * A secret can be used for hosting a password for the connection to a source database or for hosting a private key.
  * If you need to store multiple passwords and keys, these should each be in a separate secret.
</Note>

<Note>
  [Key-pair private keys for Snowflake](/docs/administration/snowflake-key-pair-authentication) should be stored in AWS Secrets Manager as plaintext to avoid formatting issues. AWS will display an error, warning that "The secret value can't be converted to key name and value pairs". Do not be alarmed. The secret/key value will work as expected in {maia}.
</Note>

1. Log in to your [AWS account](https://aws.amazon.com/console/). This should be the same account that you use with {maia}.

2. Browse to the AWS Secrets Manager service. If the service isn't in your **Recently visited**, click the search bar and type "Secrets Manager" and click **Secrets Manager**.

3. Click **Store a new secret**. The **Choose secret type** page will open.

4. For the **Secret type** section, choose **Other type of secret**.

5. For the **Key/value pairs** section, use the side-by-side fields to add the key and the value of your secret.

6. In the **Encryption key** field, we advise leaving the field blank so Secrets Manager automatically provisions the KMS key. If you opt to use a customer-managed KMS key, you will need to give your {m_runner} access to a custom key if used.

7. Click **Next**.

8. Give your secret a **Secret name** to identify it. The secret name will be used by {maia} to locate and use the correct key.

9. You do not need to give individual **Resource permissions** as this key is being used by services within the same account. Our best-practice guidelines are therefore to ignore this option.

   <Note>
     * If you expect to access this key from another AWS account, consult your administrator for the required access permissions.
     * This isn't the same as granting permission to other resources to access the key. Read [Permissions](#permissions) after creating your secret for more information on this.
   </Note>

10. Click **Next** and then **Next** again on the **Configure rotation** page.

11. Review your new secret and click **Store** when satisfied.

12. Click back into your new secret and note down the **Secret ARN**. You may need to invoke the ARN within {maia}—when you create a {m_runner}, for example.

***

## Permissions

Your {m_runner} will require the following AWS Secrets Manager permission: `secretsmanager:GetSecretValue`.

To learn more, read [IAM Roles](/docs/guides/aws-iam-roles).
