Describes the required prerequisites to use vault secret credentials with AWS Secrets Manager.

1. Create a secret with AWS Secrets Manager and copy the AWS secret ARN.

   See AWS Secrets Manager for more information.

2. Perform AWS management prerequisites to use Amazon Resource Names (ARNs).

   See Perform AWS Management Prerequisites to Use Amazon Resource Names (ARNs) for more information.

3. Enable AWS principal authentication to provide access to the secret in AWS Secrets Manager.

   For example, on the Autonomous Database instance run:

   BEGIN
       DBMS_CLOUD_ADMIN.ENABLE_PRINCIPAL_AUTH(                                     
             provider => 'AWS',
             params =>
                JSON_OBJECT( 
                   'aws_role_arn' value 'arn:aws:iam::123456:role/AWS_ROLE_ARN'));
   END; 
   /

   See ENABLE_PRINCIPAL_AUTH Procedure and About Using Amazon Resource Names (ARNs) to Access AWS Resources for more information.

4. Set up AWS to provide permissions for Amazon Resource Names (ARNs) to access the secret in AWS Secrets Manager.

   On the AWS console, you must grant read access to the secret to the principal authentication credential.

   1. In the AWS console, navigate to the IAM and select Roles in Access Management.
   2. Select the role.
   3. In the Permission tab, click Add permissions → create inline policy.
   4. In the Service section, select secret manager as the service.
   5. In the Action section, select Read access level.
   6. In the Resources section, click Add ARN, specify ARN for secret and click Add → click Review the policy → give a policy name → click create policy.
   7. Back to the Permission tab, verify that the inline policy is attached.

   See Use Amazon Resource Names (ARNs) to Access AWS Resources and Permissions policy examples for AWS Secrets Manager for more information.

Describes the steps to use an AWS Secrets Manager secret with credentials.

1. Create a secret in AWS Secrets Manager and create an inline policy to allow your Autonomous Database to access secrets in AWS Secrets Manager.
   See Prerequisites to Create Vault Secret Credential with AWS Secrets Manager for more information.
2. Use DBMS_CLOUD.CREATE_CREDENTIAL to create a vault secret credential to access the AWS Secrets Manager secret.

   For example:

   BEGIN DBMS_CLOUD.CREATE_CREDENTIAL(
       credential_name      => 'AWS_SECRET_CRED',
       params               => JSON_OBJECT( 
            'username'   value 'access_key',
            'secret_id'  value 'arn:aws:secretsmanager:region:account-ID:secret:secret_name' ));
   END;
   /

   Where:

   • username: is the username of the original credential. It can be the username of any type of username/password credential.

   • secret_id: is the vault secret AWS ARN.

   To create a vault secret credential you must have EXECUTE privilege on the DBMS_CLOUD package.

   See CREATE_CREDENTIAL Procedure for more information.

3. Use the credential to access a cloud resource.

   For example:

   SELECT count(*) FROM DBMS_CLOUD.LIST_OBJECTS(
        'AWS_SECRET_CRED', 
        'https://s3-us-west-2.amazonaws.com/adb/' );