- Overview
- Requirements
- Pre-installation
- Preparing the installation
- Downloading the installation packages
- Configuring the OCI-compliant registry
- Granting installation permissions
- Disaster recovery: Active/Passive configurations
- Generating the configuration file using a wizard
- AKS input.json example
- EKS input.json example
- Configuring a Kubernetes Secret as a secretstore
- Configuring Azure Key Vault as a secretstore
- Configuring HashiCorp Vault as a secretstore
- Configuring AWS Secrets Manager as a secretstore
- Installing and configuring the service mesh
- Installing and configuring the GitOps tool
- Installing the External Secrets Operator in Kubernetes
- Applying miscellaneous configurations
- Running uipathctl
- Installation
- Post-installation
- Migration and upgrade
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Orchestrator advanced configuration
- Configuring Orchestrator parameters
- Configuring appSettings
- Configuring the maximum request size
- Overriding cluster-level storage configuration
- Configuring NLog
- Saving robot logs to Elasticsearch
- Configuring credential stores
- Configuring encryption key per tenant
- Cleaning up the Orchestrator database
- Skipping host library installation
- AI Trust Layer
- Troubleshooting
- The backup setup does not work due to a failure to connect to Azure Government
- Pods in the uipath namespace stuck when enabling custom node taints
- Unable to launch Automation Hub and Apps with proxy setup
- Velero backup fails with FailedValidation error
- External Secrets troubleshooting
- Temporal as a Service troubleshooting
- AI Center and Document Understanding pods fail to start with TLS certificate verification enabled
- Fluentd does not export logs in IPv6 environments
Automation Suite on EKS/AKS installation guide
You can configure AWS Secrets Manager as a secretstore using either of the following auth methods:
- Node IAM Role - uses the IAM role attached to the EC2 instance where the ESO pod runs
- Access Keys (Static Credentials)
AWS Secrets Manager stores secrets as key-value pairs or plaintext strings.
By default, all sensitive data is defined in input.json. You can separate this data into two parts:
input.json- contains only configuration data.- AWS Secrets Manager - stores credentials securely.
You cannot store certificate paths or certificate-related credentials as part of the secretstore.
Using Node IAM Role
The pod inherits permissions from the node's instance profile via the default AWS credential chain. No Kubernetes secret or additional configuration is needed.
Prerequisites
- IAM role attached to the EKS/EC2 node with
secretsmanager:GetSecretValueandsecretsmanager:ListSecretspermissions - IAM role assigned to the instance profile of the nodes running the ESO pod
Configuring input.json
To configure AWS Secrets Manager as a secretstore using Node IAM Role, add the following section to input.json:
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "aws-prod",
"type": "aws",
"aws_kv": {
"region": "us-east-1"
}
}
]
}
}
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "aws-prod",
"type": "aws",
"aws_kv": {
"region": "us-east-1"
}
}
]
}
}
Configuring the required IAM policy
-
Create the IAM policy using the following definition:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:*" }, { "Effect": "Allow", "Action": ["secretsmanager:ListSecrets"], "Resource": "*" } ] }{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"], "Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:*" }, { "Effect": "Allow", "Action": ["secretsmanager:ListSecrets"], "Resource": "*" } ] } -
Run the following command to create the policy:
aws iam create-policy \ --policy-name ESOSecretsManagerPolicy \ --policy-document file://secrets-manager-policy.jsonaws iam create-policy \ --policy-name ESOSecretsManagerPolicy \ --policy-document file://secrets-manager-policy.json -
Attach the policy to the IAM role associated with the node instance profile:
aws iam attach-role-policy \ --role-name <your-role-attached-to-node> \ --policy-arn arn:aws:iam::<your-account-id>:policy/ESOSecretsManagerPolicyaws iam attach-role-policy \ --role-name <your-role-attached-to-node> \ --policy-arn arn:aws:iam::<your-account-id>:policy/ESOSecretsManagerPolicy
Using Access Keys
Access Keys uses explicit AWS access key ID and secret access key stored in a Kubernetes secret. This method is suitable for non-EKS environments or when node IAM roles are not available.
Prerequisites
- AWS IAM user with
secretsmanager:GetSecretValuepermissions - Kubernetes secret pre-created with access key credentials
Configuring input.json
To configure AWS Secrets Manager as a secretstore using Access Keys, take the following steps:
-
Create the Kubernetes secret that stores the AWS credentials:
kubectl create secret generic aws-credentials \ --namespace uipath \ --from-literal=access-key-id=<your-access-key-id> \ --from-literal=secret-access-key=<your-secret-access-key>kubectl create secret generic aws-credentials \ --namespace uipath \ --from-literal=access-key-id=<your-access-key-id> \ --from-literal=secret-access-key=<your-secret-access-key>The secret must contain the following keys:
access-key-id- AWS Access Key IDsecret-access-key- AWS Secret Access Key
-
Add the following section to
input.json:{ "secret_store": { "enabled": true, "provider_configs": [ { "name": "aws-prod", "type": "aws", "credentials_secret_name": "aws-credentials", "aws_kv": { "region": "us-east-1" } } ] } }{ "secret_store": { "enabled": true, "provider_configs": [ { "name": "aws-prod", "type": "aws", "credentials_secret_name": "aws-credentials", "aws_kv": { "region": "us-east-1" } } ] } }
Configuration fields
The following table describes the available configuration fields.
| Field | Required | Description |
|---|---|---|
aws_kv.region | Yes | AWS region where secrets are stored (for example, us-east-1) |
credentials_secret_name | No | Kubernetes secret containing access key credentials. If not set, the node IAM role is used. |
Referencing secrets in input.json
To reference a credential stored in AWS Secrets Manager, use one of the following formats in input.json:
- Plain string:
vault/aws-prod/secret-name - JSON property extraction:
vault/aws-prod/secret-name?key=password
Using AWS GovCloud
If you are using AWS GovCloud, set the region field to an AWS GovCloud region (for example, us-gov-west-1 or us-gov-east-1). No other configuration changes are required - the region value determines the AWS partition and endpoints used.
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "aws-gov",
"type": "aws",
"credentials_secret_name": "aws-credentials",
"aws_kv": {
"region": "us-gov-west-1"
}
}
]
}
}
{
"secret_store": {
"enabled": true,
"provider_configs": [
{
"name": "aws-gov",
"type": "aws",
"credentials_secret_name": "aws-credentials",
"aws_kv": {
"region": "us-gov-west-1"
}
}
]
}
}