Credentials Provider Configuration

Identity Security Cloud (ISC) ISC Discussion and Questions
1

We are trying to configure Credentials Provider to use the SailPoint ISC PTA workflows for Security Group Creation.

During configuration we are observing below errors -

Error while fetching secret secrets://TestSecretManager/arn:aws:secretsmanager:us-east-1:676206545666:secret:test_AdEnv_service_account_cred-fwKuop : 1 validation error detected: Value null at ‘secretId’ failed to satisfy constraint: Member must not be null (Service: SecretsManager, Status Code: 400, Request ID: be77e17f-5c6f-480b-9dc7-93cc4dcb8840) (SDK Attempt Count: 1), Please verify provided secret expression

In the credential provider the authentication type is - IAM Role.

Has anyone has faced similar error ? Any inputs will help.

2

@tanaychouhan1 -

Below is a quick triage checklist that usually clears the “Value null at ‘secretId’ failed to satisfy constraint” error when you call AWS Secrets Manager from the SailPoint IdentityNow (IDN) Credentials Provider.

1 Check the secret‑path expression first (> 80 % of cases)

What to verify Correct pattern Typical pitfall
Prefix secrets:// Misspelled/missing
Provider alias TestSecretManager (must match the alias you created in Admin → Connections → Credential Providers) Typo or wrong alias
Secret ARN / name URL‑encoded ARN:arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A676206545666%3Asecret%3Atest_AdEnv_service_account_cred-fwKuop Leaving the ARN unencoded (colons and slashes break the parser, so secretId becomes null)
Secret‑key part (if you stored JSON) /password (or /username) Omitting the key when your secret is JSON
Optional query ?versionStage=AWSCURRENT etc. Un‑encoded @, \, or spaces

Good examples

Plain‑text secret

secrets://TestSecretManager/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A676206545666%3Asecret%3Atest_AdEnv_service_account_cred-fwKuop

JSON secret – fetch the password property

secrets://TestSecretManager/arn%3Aaws%3Asecretsmanager%3Aus-east-1%3A676206545666%3Asecret%3Atest_AdEnv_service_account_cred-fwKuop/password

(Path syntax confirmed in SailPoint docs) - AWS Secrets Manager Credential Provider Secret Path Expressions

Tip: Use a URL‑encoder (e.g., urlencoder.org) for everything after secrets://<alias>/.

2 Validate the IAM role

The IAM role that the IDN execution service (Cloud Connector Gateway / VA) assumes must allow:

{
  "Effect": "Allow",
  "Action": [
    "secretsmanager:GetSecretValue",
    "secretsmanager:DescribeSecret"
  ],
  "Resource": "arn:aws:secretsmanager:us-east-1:676206545666:secret:test_AdEnv_service_account_cred-fwKuop*"
},
{
  "Effect": "Allow",
  "Action": "kms:Decrypt",
  "Resource": "<KMS‑key‑ARN-if-secret-is-CMK-encrypted>"
}

Missing GetSecretValue gives AccessDenied; the “null secretId” message appears before the SDK call, so fix the path first, then permissions.

3 Other quick checks

Check Why / what to do
Region mismatch Provider config region must be us‑east‑1 if that’s where the secret lives.
Execution environment Make sure the VA / Connector host is actually assuming the IAM role you selected (look in the VA log for Assumed role:…).
Secret format If you’re storing a JSON blob, include the key (e.g., /password). For plain text, omit the key.
Validate with AWS CLI From the same subnet / role: aws secretsmanager get-secret-value --secret-id test_AdEnv_service_account_cred-fwKuop --region us-east-1 – proves the secret itself is healthy.

Cheers!!!

3

hi Sukanta, I work with Tanay and took a look at this issue today. I am seeing something odd in the error message - it refers to “secretId” but the correct attribute name is “SecretId” and it is case sensitive. We have confirmed that the secret is returned via AWS CLI and “SecretId” is the correct name for the attribute. is SailPoint changing the case on that attribute name?

4

Thanks @sukanta_biswas for your inputs. We have managed to establish connectivity.

This time we are facing a different error on Active Directory Action Command. It says “command invocation expired”. Any idea on this.