mulesoft · issuvarna1 · Apr 17, 2026
@@ -39,7 +39,7 @@ In the *Configuration XML* editor, the configuration looks like this:
 	</aws-secrets-manager-properties-override:config>
 ----
 
-If you do not provide credentials, the default AWS connection follows the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^].
+If you do not provide credentials, the default AWS connection follows the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^]. This chain enables you to supply AWS credentials and the region through runtime environment variables (for example, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION`) instead of hardcoding them in the Mule app configuration. For the list of supported environment variables and a configuration example, see xref:amazon-secrets-manager-properties-provider-reference.adoc#environment-variables[Environment Variables].
 
 == Configure AWS Secrets Manager Using a JSON String
 

@@ -41,6 +41,45 @@ Default Configuration for Amazon Secrets Manager Properties Provider.
 
 Amazon Secrets Manager Properties Provider doesn't support the use of property files for the configuration of the properties provider. 
 
+== Environment Variables
+
+If you do not provide the *AWS Access Key*, *AWS Secret Key*, or *AWS Secrets Manager Region* values in the configuration, Amazon Secrets Manager Properties Provider uses the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^] to resolve credentials and the region from the runtime environment. This capability enables you to avoid hardcoding AWS credentials in the Mule app configuration.
+
+Use the following environment variables to configure the behavior of Amazon Secrets Manager Properties Provider from the environment instead of specifying parameters in the Mule app configuration:
+
+- `AWS_ACCESS_KEY_ID`
+- `AWS_SECRET_ACCESS_KEY`
+- `AWS_SESSION_TOKEN` (required only when using temporary credentials)
+- `AWS_REGION`
+
+These variables are stored in secure configuration files with the values encrypted. During execution, the runtime decrypts these values and they remain in memory in their decrypted state. For more information, refer to xref:cloudhub-2::ch2-protect-app-props.adoc[].
+
+Alternatively, you can set the equivalent Java system properties: `aws.accessKeyId`, `aws.secretAccessKey`, `aws.sessionToken`, and `aws.region`. For the full list of credential sources and the order in which they are evaluated, refer to the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^].
+
+=== Authenticate Through Environment Variables
+
+To authenticate to Amazon Secrets Manager using environment variables, set the following environment variables:
+
+* `AWS_ACCESS_KEY_ID`
+* `AWS_SECRET_ACCESS_KEY`
+* `AWS_REGION`
+
+Refer to xref:mule-runtime::setting-environment-variables.adoc[] for details.
+
+If you do not set the *AWS Access Key*, *AWS Secret Key*, or *AWS Secrets Manager Region* attributes in the configuration, the properties provider uses the values from the environment variables.
+
+In the XML configuration, you can omit the credential attributes when you rely on environment variables:
+
+[source,xml,linenums]
+----
+<!-- Configuration using environment variables for AWS credentials and region -->
+<aws-secrets-manager-properties-override:config name="AWS_Secrets_Manager_Properties_Override_Config" doc:name="AWS Secrets Manager Properties Override Config">
+    <aws-secrets-manager-properties-override:basic-connection />
+</aws-secrets-manager-properties-override:config>
+----
+
+If the properties provider cannot resolve credentials or the region from the configuration, environment variables, or any other source in the default credentials provider chain, the Mule app fails to start.
+
 == See Also
 
 * xref:connectors::introduction/introduction-to-anypoint-connectors.adoc[Introduction to Anypoint Connectors]

@@ -40,7 +40,7 @@ In the *Configuration XML* editor, the configuration looks like this:
 	</aws-secrets-manager-properties-override:config>
 ----
 
-If you do not provide credentials, the default AWS connection follows the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^].
+If you do not provide credentials, the default AWS connection follows the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^]. This chain enables you to supply AWS credentials and the region through runtime environment variables (for example, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION`) instead of hardcoding them in the Mule app configuration. For the list of supported environment variables and a configuration example, see xref:amazon-secrets-manager-properties-provider-reference.adoc#environment-variables[Environment Variables].
 
 == Configure AWS Secrets Manager Using a JSON String
 

@@ -42,6 +42,45 @@ Default Configuration for Amazon Secrets Manager Properties Provider.
 
 Amazon Secrets Manager Properties Provider doesn't support the use of property files for the configuration of the properties provider. 
 
+== Environment Variables
+
+If you do not provide the *AWS Access Key*, *AWS Secret Key*, or *AWS Secrets Manager Region* values in the configuration, Amazon Secrets Manager Properties Provider uses the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^] to resolve credentials and the region from the runtime environment. This capability enables you to avoid hardcoding AWS credentials in the Mule app configuration.
+
+Use the following environment variables to configure the behavior of Amazon Secrets Manager Properties Provider from the environment instead of specifying parameters in the Mule app configuration:
+
+- `AWS_ACCESS_KEY_ID`
+- `AWS_SECRET_ACCESS_KEY`
+- `AWS_SESSION_TOKEN` (required only when using temporary credentials)
+- `AWS_REGION`
+
+These variables are stored in secure configuration files with the values encrypted. During execution, the runtime decrypts these values and they remain in memory in their decrypted state. For more information, refer to xref:cloudhub-2::ch2-protect-app-props.adoc[].
+
+Alternatively, you can set the equivalent Java system properties: `aws.accessKeyId`, `aws.secretAccessKey`, `aws.sessionToken`, and `aws.region`. For the full list of credential sources and the order in which they are evaluated, refer to the https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html[default credentials provider chain - AWS SDK for Java 2.x^].
+
+=== Authenticate Through Environment Variables
+
+To authenticate to Amazon Secrets Manager using environment variables, set the following environment variables:
+
+* `AWS_ACCESS_KEY_ID`
+* `AWS_SECRET_ACCESS_KEY`
+* `AWS_REGION`
+
+Refer to xref:mule-runtime::setting-environment-variables.adoc[] for details.
+
+If you do not set the *AWS Access Key*, *AWS Secret Key*, or *AWS Secrets Manager Region* attributes in the configuration, the properties provider uses the values from the environment variables.
+
+In the XML configuration, you can omit the credential attributes when you rely on environment variables:
+
+[source,xml,linenums]
+----
+<!-- Configuration using environment variables for AWS credentials and region -->
+<aws-secrets-manager-properties-override:config name="AWS_Secrets_Manager_Properties_Override_Config" doc:name="AWS Secrets Manager Properties Override Config">
+    <aws-secrets-manager-properties-override:basic-connection />
+</aws-secrets-manager-properties-override:config>
+----
+
+If the properties provider cannot resolve credentials or the region from the configuration, environment variables, or any other source in the default credentials provider chain, the Mule app fails to start.
+
 == See Also
 
 * xref:connectors::introduction/introduction-to-anypoint-connectors.adoc[Introduction to Anypoint Connectors]