Region — AWS region of the secrets (e.g., us-east-1).
Authentication methods
Access Key — Access Key Id, Secret Access Key, Region. Long-lived
IAM user credentials; cannot be rotated automatically. Least preferred for
production.
Role Arn (AssumeRole) ⭐ (recommended) — Role Arn, optional
External Id, Region. Polysync calls STS AssumeRole to obtain
short-lived, automatically-rotated credentials. Works across accounts.
Permissions checklist
The IAM role/user must allow secretsmanager:GetSecretValue and
secretsmanager:DescribeSecret on every secret Polysync needs.
For AssumeRole, configure the role's trust policy to allow the Polysync
account/identity to assume it.