> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://help.moveworks.com/agent-studio/core-platform/moveworks-agent/moveworks-agent-configuration-guides/llms.txt. > For full documentation content, see https://help.moveworks.com/agent-studio/core-platform/moveworks-agent/moveworks-agent-configuration-guides/llms-full.txt. # On-Prem Agent AWS Secrets Manager This guide is only needed if you are configuring the Moveworks On-Prem Agent to read credentials from AWS Secrets Manager. If you are not using an external secrets manager, the agent stores credentials locally using AES-256 encryption — see the [Installation Guide](/agent-studio/core-platform/moveworks-agent/moveworks-agent-installation-guide) to get started. These instructions will guide you to configure permissions for a vm in AWS to pull secrets from secrets manager. You have several option for how to do this. 1. [\[Recommended\] Assign the \[movework\_agent\_secrets\_access\] policy to the existing role used by the vm.](/agent-studio/core-platform/moveworks-agent/moveworks-agent-aws-secrets-manager-setup-guide#recommended-assign-the-movework_agent_secrets_access-policy-to-the-existing-role-used-by-the-vm) 2. [Create a new role with the \[movework\_agent\_secrets\_access\] policy and assign this role to the vm.](/agent-studio/core-platform/moveworks-agent/moveworks-agent-aws-secrets-manager-setup-guide#create-new-role) 3. [Create an inline policy and assign it to the existing role used by the vm.](/agent-studio/core-platform/moveworks-agent/moveworks-agent-aws-secrets-manager-setup-guide#create-inline-policy-for-existing-role) ## \[Recommended] Assign the \[movework\_agent\_secrets\_access] policy to the existing role used by the vm ### Use AWS cloud formation to create Moveworks Agent IAM managed policy allowing Secrets Manager access 1. Create new stack by clicking on **Create stack**.\ ![](https://files.readme.io/e632f93-Screen_Shot_2022-06-23_at_4.37.01_PM.png) 2. Use the Moveworks cloud formation template. ``` AWSTemplateFormatVersion: "2010-09-09" Description: >- Template for generating Moveworks Agent IAM managed policy allowing Secrets Manager access. Resources: SecretsManagerPolicy: Type: 'AWS::IAM::ManagedPolicy' Properties: ManagedPolicyName: moveworks_agent_secrets_access PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - 'secretsmanager:GetSecretValue' - 'secretsmanager:DescribeSecret' Resource: !Sub >- arn:${AWS::Partition}:secretsmanager:*:${AWS::AccountId}:secret:moveworks_agent/* ``` ![](https://files.readme.io/a54f0db-Screen_Shot_2022-06-23_at_4.33.49_PM.png) 3. Name the stack.\ ![](https://files.readme.io/6347c71-Screen_Shot_2022-06-23_at_4.33.55_PM.png) 4. Configure stack options and create stack.\ ![](https://files.readme.io/1cd8d0d-Screen_Shot_2022-06-23_at_4.35.13_PM.png) 5. The secrets manager policy should be created.\ ![](https://files.readme.io/e09be4d-Screen_Shot_2022-06-23_at_4.42.53_PM.png) ### Assign Policy to existing role 1. Navigate to **IAM → Roles → role**. 2. Attach policies.\ ![](https://files.readme.io/8d64b98-Screen_Shot_2022-06-23_at_5.04.02_PM.png)\ ![](https://files.readme.io/2304f48-Screen_Shot_2022-06-23_at_5.05.01_PM.png) ## Create new role 1. Navigate to **IAM → Roles → Create Role**.\ ![](https://files.readme.io/c74ca4c-Screen_Shot_2022-06-23_at_4.54.03_PM.png) 2. Add the policy you just created. If you used cloud formation it should be named `moveworks_agent_secrets_access`.\ ![](https://files.readme.io/3eef739-Screen_Shot_2022-06-23_at_4.57.00_PM.png) 3. Name, review, and create.\ ![](https://files.readme.io/1195d5d-Screen_Shot_2022-06-23_at_4.59.13_PM.png) ## Create Inline policy for existing role 1. Click on **Create inline policy**.\ ![](https://files.readme.io/d8a404d-Screen_Shot_2022-06-23_at_5.04.02_PM_1.png) 2. Create policy.\ ![](https://files.readme.io/6bf5e75-Screen_Shot_2022-06-23_at_5.08.23_PM.png) ### Sample inline policy ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:::secret:moveworks_agent/*" } ] } ``` ## Add Secrets 1. Navigate to **AWS Secrets Manager → Secrets → Store a new secret**. ![](https://files.readme.io/78f8eca-Screen_Shot_2022-06-21_at_4.31.14_PM_1.png) 2. Name your secrets consistently with the access policy. If the access policy grants resources to `moveworks_agent/*` make sure the secrets are named `moveworks_agent/`. \[The policy created by the provided cloud formation template grants access to secrets under path `moveworks_agent/*`] ![](https://files.readme.io/e882188-Screen_Shot_2022-06-21_at_4.32.09_PM.png) 3. Configure your desired rotation schedules and create the secret. 4. Save the secret ARN for every secret you create.\ ![](https://files.readme.io/ded9197-Screen_Shot_2022-06-23_at_5.20.30_PM.png)\ Some common secrets used by the Moveworks Agent. you may need more secrets for multiple LDAP domains or multiple REST integrations. 1. moveworks\_access\_secret 2. ldap\_service\_password 3. jira\_password ## Check for access Check for access to the secrets you created on the agent vm. ``` aws secretsmanager describe-secret --secret-id ``` ``` aws secretsmanager get-secret-value --secret-id ``` ## Next Steps Once you have verified access, reference your secrets in `agent_config.yml` using the `aws_entry` secret object. See the [Configuration File Reference — Secret Object](/agent-studio/core-platform/moveworks-agent/moveworks-agent-configuration-guides/configuration-file-reference#secret-object) for the full syntax. ```yaml moveworks_access_secret: aws_entry: secret_name: moveworks_agent/my-secret-name region: us-west-2 refresh_time_sec: 3600 ```