How to configure AWS Secrets Manager Domino Data Lab for secure, repeatable access

Your data scientists finally built a model that predicts downtime hours before it happens. Nice. But now they need credentials for an S3 bucket, three databases, and a private API. One Slack message later, someone just pasted a secret into chat. You sigh. Then you remember AWS Secrets Manager and Domino Data Lab can stop this circus cold.

AWS Secrets Manager stores and rotates credentials so teams never share passwords by hand. Domino Data Lab orchestrates reproducible data science environments where models and experiments run under controlled permissions. Together they let you automate secure access to everything from Redshift to internal APIs, without ever exposing secrets to your notebook cells.

Picture it like this: AWS Secrets Manager holds the keys, IAM defines who can borrow them, and Domino acts as the valet—fetching those keys only for authorized runs. Instead of embedding credentials in your environment variables forever, Domino can request short-lived tokens through IAM roles or the AWS SDK at runtime. That means if someone clones your project, the secrets stay behind the vault door.

To integrate the two, link Domino’s workspace environment variables to AWS Secrets Manager references. Use IAM roles mapped to your Domino users or compute environments. When a job starts, it reads its secrets directly from AWS, using the permissions of the running identity. No local copies, no manual rotation. Just clean, auditable access.

If you manage multiple user tiers, map role-based access controls (RBAC) from Domino groups to IAM policies. Data scientists get read access to analytics data. Platform admins get update rights for secret definitions. Then set automatic rotation intervals inside Secrets Manager. You sleep better knowing every credential refreshes before an audit forces you to.

Benefits of using AWS Secrets Manager with Domino Data Lab:

• Secrets never live in notebooks or git histories
• Automatic rotation keeps compliance happy
• Fine-grained IAM roles reduce lateral exposure
• Reproducible pipelines stay fully portable
• Observability improves with clear audit logs of access events

Developers feel the speed too. No more ticketing hell for database credentials. Faster onboarding, fewer broken notebooks, and no waiting on ops for one missing secret. Every experiment runs with consistent policies, which means fewer “works on my machine” headaches.

Platforms like hoop.dev take this one step further. They translate those access rules into runtime policy enforcement, ensuring your proxies and notebooks inherit the same least-privilege model no matter where they run. You configure once, and compliance follows automatically.

How do I connect AWS Secrets Manager to Domino Data Lab?
Grant Domino’s compute environment IAM permissions to retrieve specific secrets, then reference those secrets by name in Domino environment variables. Domino fetches them on job launch, ensuring credentials exist only in memory during runtime.

As AI copilots and agents start handling model deployment, this pattern matters even more. A bot that triggers your pipeline must respect identity boundaries. Secrets Manager ensures AI automation reads only the keys it truly needs, nothing more.

Security doesn’t have to slow science. With AWS Secrets Manager and Domino Data Lab, you get reproducibility without risk, and velocity without shortcuts.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.