Integrate Postman Vault with AWS Secrets Manager
AWS Secrets Manager enables you to store sensitive data in a vault that's external from your Postman Vault. Once your Postman Vault is integrated with AWS Secrets Manager, you can link vault secrets with sensitive data stored in AWS Secrets Manager, and retrieve them when you send HTTP requests.
You can create Postman Vault integrations from the Postman desktop app.
Learn more about Postman Vault integrations.
About the AWS Secrets Manager integration
When setting up an integration with AWS Secrets Manager, you need to authenticate with your AWS account, selecting the security credentials type you'd like to use: long-lived or temporary security credentials. Enter the access key pair (access key ID and secret access key), session token, region, and multi-factor authentication (MFA) token for your AWS account. Then you can link vault secrets with AWS Secrets Manager using the secret Amazon Resource Name (ARN), role ARN, and version for each secret.
You can follow the steps to create a secret, find a secret, and retrieve a secret from AWS Secrets Manager. Postman retrieves the value exactly as it's entered in the Plaintext tab, so enter the secret's value in the format you want it returned in Postman. To view a secret's details, including the secret ARN, open the Secrets Manager console then select the secret's name.
Integrate with AWS Secrets Manager
When you create the integration, authorize Postman to access and retrieve secrets from AWS Secrets Manager. Enter the access key pair (access key ID and secret access key), session token (if using temporary security credentials), region, and MFA token for your AWS account.
Postman uses your access key pair to authenticate with AWS. The key pair is valid in Postman for 2 hours if using long-lived security credentials, and it's valid for a specified period of time if using temporary security credentials.
You'll need to reauthenticate with AWS each time you sign in to Postman, or when your access key pair expires in Postman.
If your AWS account requires an MFA token to authenticate, make sure you have the iam:listMFADevices permission in the identity-based policy associated with your AWS user. This enables Postman to check if your AWS account has MFA enabled, and then prompt you to enter your MFA token.
To integrate with AWS Secrets Manager and authenticate with your AWS account, do the following:
-
Open your Postman Vault, then select
Settings. Optionally, you can create the integration when you add a vault secret. -
Select Connect next to AWS Secrets Manager.
Your computer must be able to access your Amazon Web Services instance, and your AWS account can't require a proxy server to access it.
-
You'll be prompted to authorize Postman to access your AWS account. Make sure the secrets you plan to retrieve are accessible from your AWS account. If you need to manually authorize Postman, enter the following on the Authenticate AWS Secrets Manager window:
Select the security Credentials Type to use when authenticating with AWS: long-lived or temporary security credentials. The security credential type determines the length of time the access key pair (access key ID and secret access key) is valid for in Postman. You'll need to reauthenticate with AWS when the key pair expires. Learn more about security credentials in AWS.
-
Long-lived - Long-term security credentials that are valid for 2 hours in Postman.
- Access Key - Enter the access key ID for your AWS account.
- Secret Key - Enter the secret access key for your AWS account.
- Region - Enter the AWS region where your AWS account is located.
-
Temporary - Short-term security credentials that enable you to configure the length of time they're valid for. Learn more about temporary security credentials in AWS.
-
Request temporary security credentials, and enter them in Postman. The credentials include the Access Key, Secret Key, and Session Token.
Request the credentials using AWS Security Token Service (AWS STS) operations. You can enter the AWS STS commands using a command line tool, such as the AWS CLI. An AWS Admin can also generate temporary credentials for users using their internal AWS portal.
-
Region - Enter the AWS region where your AWS account is located.
-
Optionally, you can instead autofill each field, enabling Postman to fill in the details required to authenticate with your AWS account.
-
-
Select Authenticate.
-
If your AWS account requires multi-factor authentication, enter an MFA Token.
-
Select Authenticate.
Autofill authentication credentials
You can autofill each field from the credentials file in your home directory. This enables Postman to automatically fill in the details required to authenticate with your AWS account.
To create the credentials file, install the AWS CLI, then configure the credentials file with your access key, secret key, and region. Postman checks the .aws/credentials file in your home directory, and checks the main and default profiles in that order in your credentials file. You can learn more about the credentials file format and default location of the file in your home directory.
Once the file is configured, select a field on the Authenticate AWS Secrets Manager window, and select 
Autofill from config file. Then you can complete the remaining steps to authenticate with your AWS account.
Link vault secrets with AWS Secrets Manager
Link a vault secret's value with a secret stored in AWS Secrets Manager. This enables you to retrieve a secret stored in AWS Secrets Manager directly from your local instance of Postman. Once you link a vault secret's value, reference the vault secret in your local instance of Postman, and the secret is retrieved from AWS Secrets Manager when you send the HTTP request that references the vault secret.
Secrets retrieved from AWS Secrets Manager aren't stored in your local instance of Postman or the Postman cloud. Learn more about Postman Vault integrations.
Before you link a vault secret, make sure you have the secretsmanager:GetSecretValue permission in the identity-based policy associated with your AWS user. This enables you to retrieve secrets stored in AWS Secrets Manager from your local instance of Postman.
To link a vault secret's value with AWS Secrets Manager, do the following:
-
In Postman, enter a name for the vault secret, hover over the Value cell, then select the vault integration icon
.
If you've already integrated with an external vault, you can link a secret from a different external vault provider. Select the change external vault icon
, then select an external vault. -
Enter the following on the Link secret window:
-
Secret ARN - Enter the unique Amazon Resource Name (ARN) that identifies the secret. Postman retrieves the value exactly as it's entered in the secret's Plaintext tab.
arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>-<six-random-characters> -
Role ARN (Optional) - The secret's permissions policy might require you to assume a role with elevated permissions to access it. Enter the unique ARN specifying the required role to temporarily assume it. Learn more about assuming roles in AWS.
Also make sure you have the
iam:assumeRolepermission in the identity-based policy associated with your AWS user.arn:aws:iam::<account-id>:role/<role-name-with-path> -
Version (Optional) - Enter the version of the secret. The current version of the secret will be used if a version isn't provided.
-
-
Select Use.
To view details about a secret you've retrieved from AWS Secrets Manager, select the vault integration icon next to a secret.
Next steps
After integrating Postman Vault with AWS Secrets Manager, you can reference vault secrets and manage your integrations:
- To learn how to reference vault secrets in your local instance of Postman, see Use vault secrets.
- To learn how to troubleshoot unresolved vault secrets, see Troubleshoot vault secrets.
- To learn how to manage your integrations, see Manage Postman Vault integrations.
Last modified: 2024/04/29
