diff --git a/services/terraform/dev/.terraform.lock.hcl b/services/terraform/dev/.terraform.lock.hcl
index ebcfbb40f..70f6bafe8 100644
--- a/services/terraform/dev/.terraform.lock.hcl
+++ b/services/terraform/dev/.terraform.lock.hcl
@@ -1,25 +1,45 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "5.7.0"
   constraints = "~> 5.7.0"
   hashes = [
     "h1:gCmR7VjmH1RSMC6eaZRr37iGRDGBgzCPWomHHpeMEgA=",
     "zh:03240d7fc041d5331db7fd5f2ca4fe031321d07d2a6ca27085c5020dae13f211",
     "zh:0b5252b14c354636fe0348823195dd901b457de1a033015f4a7d11cfe998c766",
     "zh:2bfb62325b0487be8d1850a964f09cca0d45148faec577459c2a24334ec9977b",
     "zh:2f9e317ffc57d2b5117cfe8dc266f88aa139b760bc93d8adeed7ad533a78b5a3",
     "zh:36512725c9d7c559927b98fead04be58494a3a997e5270b905a75a468e307427",
     "zh:5483e696d3ea764f746d3fe439f7dcc49001c3c774122d7baa51ce01011f0075",
     "zh:5967635cc14f969ea26622863a2e3f9d6a7ddd3e7d35a29a7275c5e10579ac8c",
     "zh:7e63c94a64af5b7aeb36ea6e3719962f65a7c28074532c02549a67212d410bb8",
     "zh:8a7d5f33b11a3f5c7281413b431fa85de149ed8493ec1eea73d50d2d80a475e6",
     "zh:8e2ed2d986aaf590975a79a2f6b5e60e0dc7d804ab01a8c03ab181e41cfe9b0f",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
     "zh:9c7b8ca1b17489f16a6d0f1fc2aa9c130978ea74c9c861d8435410567a0a888f",
     "zh:a54385896a70524063f0c5420be26ff6f88909bd8e6902dd3e922577b21fd546",
     "zh:aecd3a8fb70b938b58d93459bfb311540fd6aaf981924bf34abd48f953b4be0d",
     "zh:f3de076fa3402768d27af0187c6a677777b47691d1f0f84c9b259ff66e65953e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.5.1"
+  constraints = "3.5.1"
+  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
diff --git a/services/terraform/dev/main.tf b/services/terraform/dev/main.tf
index 7eb02bfd0..f4e07bc84 100644
--- a/services/terraform/dev/main.tf
+++ b/services/terraform/dev/main.tf
@@ -1,40 +1,42 @@
 locals {
   aws_settings = ({
     region     = "us-east-2"
     access_key = "fake"
     secret_key = "fake"
 
     skip_credentials_validation = true
     skip_metadata_api_check     = true
     skip_requesting_account_id  = true
     s3_use_path_style           = true
 
     override_endpoint = "http://localhost:4566"
   })
 }
 
 provider "aws" {
   region     = local.aws_settings.region
   access_key = local.aws_settings.access_key
   secret_key = local.aws_settings.secret_key
 
   skip_credentials_validation = local.aws_settings.skip_credentials_validation
   skip_metadata_api_check     = local.aws_settings.skip_metadata_api_check
   skip_requesting_account_id  = local.aws_settings.skip_requesting_account_id
   s3_use_path_style           = local.aws_settings.s3_use_path_style
 
   dynamic "endpoints" {
     for_each = local.aws_settings.override_endpoint[*]
     content {
-      dynamodb = endpoints.value
-      s3       = endpoints.value
+      dynamodb       = endpoints.value
+      s3             = endpoints.value
+      secretsmanager = endpoints.value
     }
   }
 }
 
+provider "random" {}
+
 # Shared resources between local dev environment and remote AWS
 module "shared" {
   source = "../modules/shared"
   is_dev = true
 }
-
diff --git a/services/terraform/dev/providers.tf b/services/terraform/dev/providers.tf
index 0b988a0be..89df5de67 100644
--- a/services/terraform/dev/providers.tf
+++ b/services/terraform/dev/providers.tf
@@ -1,8 +1,12 @@
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }
diff --git a/services/terraform/modules/shared/providers.tf b/services/terraform/modules/shared/providers.tf
index 0b988a0be..89df5de67 100644
--- a/services/terraform/modules/shared/providers.tf
+++ b/services/terraform/modules/shared/providers.tf
@@ -1,8 +1,12 @@
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }
diff --git a/services/terraform/modules/shared/secretsmanager.tf b/services/terraform/modules/shared/secretsmanager.tf
new file mode 100644
index 000000000..a471b8e97
--- /dev/null
+++ b/services/terraform/modules/shared/secretsmanager.tf
@@ -0,0 +1,21 @@
+resource "aws_secretsmanager_secret" "services_token" {
+  name        = "servicesToken"
+  description = "Service-to-service access token"
+}
+resource "aws_secretsmanager_secret_version" "services_token" {
+  secret_id      = aws_secretsmanager_secret.services_token.id
+  secret_string  = var.is_dev ? "super-secret" : random_password.services_token.result
+  version_stages = ["AWSCURRENT"]
+}
+
+# Now we generate a random password for the services token in production
+# until we have rotation configured.
+resource "random_password" "services_token" {
+  length           = 32
+  special          = true
+  override_special = "!#$%&*-_=+<>?"
+}
+
+output "services_token_id" {
+  value = aws_secretsmanager_secret.services_token.id
+}
diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl
index bf8dc2360..023741600 100644
--- a/services/terraform/remote/.terraform.lock.hcl
+++ b/services/terraform/remote/.terraform.lock.hcl
@@ -1,40 +1,60 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/carlpett/sops" {
   version     = "0.7.2"
   constraints = "0.7.2"
   hashes = [
     "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=",
     "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82",
     "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190",
     "zh:87b970db8c137f4c2fcbff7a5705419a0aea9268ae0ac94f1ec5b978e42ab0d2",
     "zh:9e3b67b89ac919f01731eb0466baa08ce0721e6cf962fe6752e7cc526ac0cba0",
     "zh:c028f67ef330be0d15ce4d7ac7649a2e07a98ed3003fca52e0c72338b5f481f8",
     "zh:c29362e36a44480d0d9cb7d90d1efba63fe7e0e94706b2a07884bc067c46cbc7",
     "zh:d5bcfa836244718a1d564aa96eb7d733b4d361b6ecb961f7c5bcd0cadb1dfd05",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "5.7.0"
   constraints = "~> 5.7.0"
   hashes = [
     "h1:gCmR7VjmH1RSMC6eaZRr37iGRDGBgzCPWomHHpeMEgA=",
     "zh:03240d7fc041d5331db7fd5f2ca4fe031321d07d2a6ca27085c5020dae13f211",
     "zh:0b5252b14c354636fe0348823195dd901b457de1a033015f4a7d11cfe998c766",
     "zh:2bfb62325b0487be8d1850a964f09cca0d45148faec577459c2a24334ec9977b",
     "zh:2f9e317ffc57d2b5117cfe8dc266f88aa139b760bc93d8adeed7ad533a78b5a3",
     "zh:36512725c9d7c559927b98fead04be58494a3a997e5270b905a75a468e307427",
     "zh:5483e696d3ea764f746d3fe439f7dcc49001c3c774122d7baa51ce01011f0075",
     "zh:5967635cc14f969ea26622863a2e3f9d6a7ddd3e7d35a29a7275c5e10579ac8c",
     "zh:7e63c94a64af5b7aeb36ea6e3719962f65a7c28074532c02549a67212d410bb8",
     "zh:8a7d5f33b11a3f5c7281413b431fa85de149ed8493ec1eea73d50d2d80a475e6",
     "zh:8e2ed2d986aaf590975a79a2f6b5e60e0dc7d804ab01a8c03ab181e41cfe9b0f",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
     "zh:9c7b8ca1b17489f16a6d0f1fc2aa9c130978ea74c9c861d8435410567a0a888f",
     "zh:a54385896a70524063f0c5420be26ff6f88909bd8e6902dd3e922577b21fd546",
     "zh:aecd3a8fb70b938b58d93459bfb311540fd6aaf981924bf34abd48f953b4be0d",
     "zh:f3de076fa3402768d27af0187c6a677777b47691d1f0f84c9b259ff66e65953e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.5.1"
+  constraints = "3.5.1"
+  hashes = [
+    "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf
index 251b4f7a5..e6fce03eb 100644
--- a/services/terraform/remote/main.tf
+++ b/services/terraform/remote/main.tf
@@ -1,60 +1,61 @@
 terraform {
   backend "s3" {
     region         = "us-east-2"
     key            = "terraform.tfstate"
     bucket         = "commapp-terraform"
     dynamodb_table = "terraform-lock"
     encrypt        = true
   }
 }
 
+provider "random" {}
 provider "sops" {}
 
 data "sops_file" "secrets_json" {
   source_file = "secrets.json"
 }
 
 locals {
   environment = terraform.workspace
   is_staging  = local.environment == "staging"
 
   secrets = jsondecode(data.sops_file.secrets_json.raw)
 
   target_account_id  = lookup(local.secrets.accountIDs, local.environment)
   terraform_role_arn = "arn:aws:iam::${local.target_account_id}:role/Terraform"
 }
 
 provider "aws" {
   region = "us-east-2"
 
   assume_role {
     role_arn    = local.terraform_role_arn
     external_id = "terraform"
   }
 
   # automatically add these tags to all resources
   default_tags {
     tags = {
       # Helps to distinguish which resources are managed by Terraform
       managed_by = "terraform"
     }
   }
 }
 
 locals {
   # S3 bucket names are globally unique so we add a suffix to staging buckets
   s3_bucket_name_suffix = local.is_staging ? "-staging" : ""
 }
 
 # Shared resources between local dev environment and remote AWS
 module "shared" {
   source             = "../modules/shared"
   bucket_name_suffix = local.s3_bucket_name_suffix
 }
 
 check "workspace_check" {
   assert {
     condition     = terraform.workspace == "staging" || terraform.workspace == "production"
     error_message = "Terraform workspace must be either 'staging' or 'production'!"
   }
 }
diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf
index 5ec120ea0..fdb1e57cb 100644
--- a/services/terraform/remote/providers.tf
+++ b/services/terraform/remote/providers.tf
@@ -1,13 +1,18 @@
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
 
     sops = {
       source  = "carlpett/sops"
       version = "0.7.2"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.5.1"
+    }
   }
 }