Amazon Secrets Manager Password Storage Scheme

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Amazon Secrets Manager Password Storage Scheme provides a mechanism for authenticating users whose passwords are stored in the Amazon AWS Secrets Manager service.

This password storage scheme only supports authenticating users and does not allow password changes. Password changes must be made in the AWS Secrets Manager service.
When updating a user account to use this password storage scheme, the password must be provided in pre-encoded form (which will likely require using the password update behavior request control with the allowPreEncodedPassword element set to true). The encoded password should consist of the prefix "{AWS-SECRETS-MANAGER}" followed by a JSON object with the following fields:

For example, a password encoded with this scheme may look something like:
 {AWS-SECRETS-MANAGER}{"id":"secret-name","field":"field-name"} 

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Amazon Secrets Manager Password Storage Scheme component inherits from the Password Storage Scheme

Relations from This Component

The following components have a direct aggregation relation from Amazon Secrets Manager Password Storage Schemes:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 aws-external-server
 default-field

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

aws-external-server

Description
The external server with information to use when interacting with the AWS Secrets Manager service.
Default Value
None
Allowed Values
The DN of any Amazon Aws External Server.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

default-field

Description
The default name of the field in JSON objects contained in the AWS Secrets Manager service that contains the password for the target user. The name of the default JSON field in secret objects whose value will be used as the user's password. This will be used if the encoded password does not contain a field named "field".
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Amazon Secrets Manager Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type amazon-secrets-manager
     --set enabled:{propertyValue}
     --set aws-external-server:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}