Integrate Postman Vault with AWS Secrets Manager

Postman Vault integrations are available on Postman Enterprise plans with the Advanced Security Administration add-on.

AWS Secrets Manager enables you to store sensitive data in a vault that's external from your Postman Vault. Once your Postman Vault is integrated with AWS Secrets Manager, you can link vault secrets with sensitive data stored in AWS Secrets Manager, and retrieve them when you send HTTP requests.

You can create Postman Vault integrations from the Postman desktop app.

Learn more about Postman Vault integrations.

About the AWS Secrets Manager integration

When setting up an integration with AWS Secrets Manager, you need to authenticate with your AWS account, selecting the security credentials type you'd like to use: long-lived or temporary security credentials. Enter the access key pair (access key ID and secret access key), session token, region, and multi-factor authentication (MFA) token for your AWS account. Then you can link vault secrets with AWS Secrets Manager using the secret Amazon Resource Name (ARN), role ARN, and version for each secret.

You can follow the steps to create a secret, find a secret, and retrieve a secret from AWS Secrets Manager. To view a secret's details, including the secret ARN, open the Secrets Manager console then select the secret's name.

By default, Postman retrieves the value that's entered in the Plaintext tab in the Secret Manager console. Postman retrieves the value exactly as it's entered in the Plaintext tab, so enter the secret's value in the format you want it returned in Postman. You can configure Postman to retrieve the value of a JSON key-value pair in the Key/value tab.

Integrate with AWS Secrets Manager

When you create the integration, authorize Postman to access and retrieve secrets from AWS Secrets Manager. Enter the access key pair (access key ID and secret access key), session token (if using temporary security credentials), region, and MFA token for your AWS account.

Postman uses your access key pair to authenticate with AWS. The key pair is valid in Postman for 2 hours if using long-lived security credentials, and it's valid for a specified period of time if using temporary security credentials.

You'll need to reauthenticate with AWS each time you open Postman, or when your access key pair expires in Postman.

If your AWS account requires an MFA token to authenticate, make sure you have the iam:listMFADevices permission in the identity-based policy associated with your AWS user. This enables Postman to check if your AWS account has MFA enabled, and then prompt you to enter your MFA token.

To integrate with AWS Secrets Manager and authenticate with your AWS account, do the following:

1. Open your Postman Vault.

2. If you haven't created an integration with an external vault, select Set up external vault in the top right of your Postman Vault. Otherwise, select Use from existing vault. Then select AWS Secrets Manager.

   Optionally, you can select Settings in the top right of your Postman Vault. Then select Connect next to AWS Secrets Manager.

   Your computer must be able to access your Amazon Web Services instance, and your AWS account can't require a proxy server to access it.

3. You'll be prompted to authorize Postman to access your AWS account. Make sure the secrets you plan to retrieve are accessible from your AWS account. If you need to manually authorize Postman, enter the following on the Authenticate AWS Secrets Manager window:

   Select the security Credentials Type to use when authenticating with AWS: long-lived or temporary security credentials. The security credential type determines the length of time the access key pair (access key ID and secret access key) is valid for in Postman. You'll need to reauthenticate with AWS when the key pair expires. Learn more about security credentials in AWS.

   • Long-lived - Long-term security credentials that are valid for 2 hours in Postman.

     • Access Key - Enter the access key ID for your AWS account.
     • Secret Key - Enter the secret access key for your AWS account.
     • Region - Enter the AWS region where your AWS account is located.

   • Temporary - Short-term security credentials that enable you to configure the length of time they're valid for. Learn more about temporary security credentials in AWS.

     • Request temporary security credentials, and enter them in Postman. The credentials include the Access Key, Secret Key, and Session Token.

       Request the credentials using AWS Security Token Service (AWS STS) operations. You can enter the AWS STS commands using a command line tool, such as the AWS CLI. An AWS Admin can also generate temporary credentials for users using their internal AWS portal.

     • Region - Enter the AWS region where your AWS account is located.

   Optionally, you can instead autofill each field, enabling Postman to fill in the details required to authenticate with your AWS account.

4. Select Authenticate.

5. If your AWS account requires multi-factor authentication, enter an MFA Token.

6. Select Authenticate.

Autofill authentication credentials

You can autofill each field from the credentials file in your home directory. This enables Postman to automatically fill in the details required to authenticate with your AWS account.

To create the credentials file, install the AWS CLI, then configure the credentials file with your access key, secret key, and region. Postman checks the .aws/credentials file in your home directory, and checks the main and default profiles in that order in your credentials file. You can learn more about the credentials file format and default location of the file in your home directory.

Once the file is configured, select a field on the Authenticate AWS Secrets Manager window, and select Autofill from config file. Then you can complete the remaining steps to authenticate with your AWS account.

Link vault secrets with AWS Secrets Manager

Link a vault secret's value with a secret stored in AWS Secrets Manager. This enables you to retrieve a secret stored in AWS Secrets Manager directly from your local instance of Postman. Once you link a vault secret's value, reference the vault secret in your local instance of Postman, and the secret is retrieved from AWS Secrets Manager when you send the HTTP request that references the vault secret.

By default, Postman retrieves the value exactly as it's entered in the secret's Plaintext tab. Under Advanced settings, you can configure Postman to retrieve the value of a JSON key-value pair in the secret's Key/value tab.

Secrets retrieved from AWS Secrets Manager aren't stored in your local instance of Postman or the Postman cloud. Learn more about Postman Vault integrations.

Vault secrets are deleted from your Postman Vault after signing out of Postman. Your vault secrets can't be recovered with your vault key. When you sign in to Postman and open your Postman Vault, you can create the integration and link a vault secret's value.

Before you link a vault secret, make sure you have the secretsmanager:GetSecretValue permission in the identity-based policy associated with your AWS user. This enables you to retrieve secrets stored in AWS Secrets Manager from your local instance of Postman.

To link a vault secret's value with AWS Secrets Manager, do the following:

1. In Postman, enter a name for the vault secret, hover over the Value cell, then select Link Vault.

   

   If you've already integrated with an external vault, you can link a secret from a different external vault provider. Select Add new vault, then select an external vault.

2. Enter the following on the Link secret window:

   • Secret ARN - Enter the unique Amazon Resource Name (ARN) that identifies the secret.

     arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>-<six-random-characters>
     

   • Advanced settings

     • Role ARN (Optional) - The secret's permissions policy might require you to assume a role with elevated permissions to access it. Enter the unique Amazon Resource Name (ARN) specifying the required role to temporarily assume it. Learn more about assuming roles in AWS.

       Also make sure you have the iam:assumeRole permission in the identity-based policy associated with your AWS user.

       arn:aws:iam::<account-id>:role/<role-name-with-path>
       

     • Version (Optional) - Enter the version of the secret. The current version of the secret will be used if a version isn't provided.

     • Secret Type - Choose the value you'd like to retrieve:

       • Plaintext - Select to retrieve the value that's stored in the secret's Plaintext tab in the Secret Manager console. Postman retrieves the value exactly as it's entered in the tab.
       • Key/Value - Select to retrieve a value that's stored as a JSON key-value pair in the secret's Key/value tab in the Secret Manager console. In Postman, enter the secret key for the value you want to retrieve.

3. Select Use.

To view details about a secret you've retrieved from AWS Secrets Manager, select Configure vault next to a secret.

You can also use scripts to access vault secrets linked with AWS Secrets Manager. Postman doesn't support setting the value of vault secrets linked with external vaults.

Make sure you enable scripts to access your vault secrets. Otherwise, you'll receive an error in the Postman Console.

Next steps

After integrating Postman Vault with AWS Secrets Manager, you can reference vault secrets and manage your integrations:

• To learn how to reference vault secrets in your local instance of Postman, see Use vault secrets.
• To learn how to troubleshoot vault secrets, see Troubleshoot vault secrets.
• To learn how to manage your integrations, see Manage Postman Vault integrations.