diff --git a/services/terraform/dev/.terraform.lock.hcl b/services/terraform/dev/.terraform.lock.hcl
--- a/services/terraform/dev/.terraform.lock.hcl
+++ b/services/terraform/dev/.terraform.lock.hcl
@@ -23,3 +23,23 @@
     "zh:f3de076fa3402768d27af0187c6a677777b47691d1f0f84c9b259ff66e65953e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.5.1"
+  constraints = "3.5.1"
+  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
diff --git a/services/terraform/dev/main.tf b/services/terraform/dev/main.tf
--- a/services/terraform/dev/main.tf
+++ b/services/terraform/dev/main.tf
@@ -26,15 +26,17 @@
   dynamic "endpoints" {
     for_each = local.aws_settings.override_endpoint[*]
     content {
-      dynamodb = endpoints.value
-      s3       = endpoints.value
+      dynamodb       = endpoints.value
+      s3             = endpoints.value
+      secretsmanager = endpoints.value
     }
   }
 }
 
+provider "random" {}
+
 # Shared resources between local dev environment and remote AWS
 module "shared" {
   source = "../modules/shared"
   is_dev = true
 }
-
diff --git a/services/terraform/dev/providers.tf b/services/terraform/dev/providers.tf
--- a/services/terraform/dev/providers.tf
+++ b/services/terraform/dev/providers.tf
@@ -4,5 +4,9 @@
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }
diff --git a/services/terraform/modules/shared/providers.tf b/services/terraform/modules/shared/providers.tf
--- a/services/terraform/modules/shared/providers.tf
+++ b/services/terraform/modules/shared/providers.tf
@@ -4,5 +4,9 @@
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }
diff --git a/services/terraform/modules/shared/secretsmanager.tf b/services/terraform/modules/shared/secretsmanager.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/modules/shared/secretsmanager.tf
@@ -0,0 +1,21 @@
+resource "aws_secretsmanager_secret" "services_token" {
+  name        = "servicesToken"
+  description = "Service-to-service access token"
+}
+resource "aws_secretsmanager_secret_version" "services_token" {
+  secret_id      = aws_secretsmanager_secret.services_token.id
+  secret_string  = var.is_dev ? "super-secret" : random_password.services_token.result
+  version_stages = ["AWSCURRENT"]
+}
+
+# Now we generate a random password for the services token in production
+# until we have rotation configured.
+resource "random_password" "services_token" {
+  length           = 32
+  special          = true
+  override_special = "!#$%&*-_=+<>?"
+}
+
+output "services_token_id" {
+  value = aws_secretsmanager_secret.services_token.id
+}
diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl
--- a/services/terraform/remote/.terraform.lock.hcl
+++ b/services/terraform/remote/.terraform.lock.hcl
@@ -38,3 +38,23 @@
     "zh:f3de076fa3402768d27af0187c6a677777b47691d1f0f84c9b259ff66e65953e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.5.1"
+  constraints = "3.5.1"
+  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf
--- a/services/terraform/remote/main.tf
+++ b/services/terraform/remote/main.tf
@@ -8,6 +8,7 @@
   }
 }
 
+provider "random" {}
 provider "sops" {}
 
 data "sops_file" "secrets_json" {
diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf
--- a/services/terraform/remote/providers.tf
+++ b/services/terraform/remote/providers.tf
@@ -9,5 +9,10 @@
       source  = "carlpett/sops"
       version = "0.7.2"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }