Strategy One

Configure Cross-account AWS Secret Manager Vault Connections with a Default IAM Role Mode

The following functionality is only available for Managed Cloud Enterprise (MCE) environments.

Starting in Strategy One (May 2026), you can configure cross-account Amazon Web Services (AWS) Secret Manager vault connections using a default IAM role for a more secure workflow.

Strategy requires the remote AWS account ID for each AWS Secrets Manager vault connection with a default IAM role mode. It also requires the Strategy AWS Default IAM role to be granted as the AWS Secrets Manager read secret permissions and KMS decrypt key permission in remote AWS account.

Prerequisites

Consider the following for your AWS Secrets Manager:

  • A secret that includes the username and password for your database must use the following JSON format: {"username": "my-username", "password": "my-password"}

  • To allow cross-account access, the secret must be encrypted by a Customer Managed Key (CMK) and granted the Strategy AWS default IAM role that allows it to decrypt the key.

Create a Customer Managed Key

  1. Contact the Strategy Support team for the Strategy AWS Default IAM role ARN that is used in the AWS MCE environment.

  2. In AWS, find your secret.

  3. Expand the Actions drop-down list and choose Edit encryption key.

  4. Click Add new key.

  5. In the KMS page, click Create key.

  6. Select a Key type and Key usage.

  7. Expand Advanced options.

  8. In Key material origin, select KMS.

  9. In Regionality, select Single-Region key.

  10. Click Next.

  11. Optional add labels, define key administrative permissions, and define key usage permissions.

  12. In Step 5: Edit key policy, add a new key policy to allow the Strategy Default IAM role to decrypt the CMK. For example, see the following policy:

    Copy 
    {
        "Sid": "AllowClusterRoleFromAccountAToUseKey",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::490650638888:role/cluster-7et0lx2q-node-instance-iam-role"
        },
        "Action": [
            "kms:Decrypt",
            "kms:DescribeKey"
        ],
        "Resource": "*"
    }

  13. Click Next.

  14. Review the changes and click Finish.

  15. Find your secret, expand the Actions drop-down list, and choose Edit encryption key.

  16. In Encryption key, refresh and choose the key you created above.

  17. Click Save.

Grant Permission to the Strategy AWS Default IAM Role

  1. If you did not previously request the ARN, contact the Strategy Support team for the Strategy AWS default IAM role ARN that is used in the AWS MCE environment.

  2. Go to the AWS Secrets Manager, click the secret page.

  3. In Resource permissions, click Edit permissions.

  4. Add a resource policy to grant permission.

    • In "Principal": "AWS", enter the Strategy AWS Default IAM role ARN.

    • In Resource, enter the Secret ARN.

      You can find the Secret ARN value in the Secret details.

    See the following policy example:

    Copy 
    {
      "Version" : "2012-10-17",
      "Statement" : [ {
        "Sid" : "AllowAccountARoleToReadSecret",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::490650638888:role/cluster-7et0lx2q-node-instance-iam-role"
        },
        "Action" : "secretsmanager:GetSecretValue",
        "Resource" : "arn:aws:secretsmanager:us-west-2:448049832177:secret:mstr-secret-test-5m93MF"
      } ]
    }

  5. Click Save.

Create an AWS Secrets Manager Vault Connection with a Default IAM Role Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Vault Connections tab.
  4. Click Add New Vault Connection.
  5. Enter values in the following fields:
    • Name: Type a name for your connection.
    • Type: Choose AWS Secrets Manager.
    • Authentication Mode: Choose Default IAM Role.
    • Region: Type the AWS region where the secret is stored.
  6. Click Save.

Validate the Vault Connection with Default IAM Role Mode

  1. Open the Workstation window.
  2. In the Navigation pane, click Data Sources.
  3. Click the Database Logins tab.
  4. Click Add New Database Login.
  5. Toggle on Use Vault.
  6. Type a database login Name.
  7. Optionally type a Description.
  8. Expand the Type drop-down list and choose AWS Secrets Manager.
  9. Expand the Vault Connection drop-down list and choose your newly created vault connection.
  10. In Secret Name, type your Secret ARN.
  11. Click Save.