Introduction
In modern cloud environments securely managing sensitive information like database credentials, API keys and other secrets is crucial. AWS Secrets Manager simplifies the process of securely storing, managing and retrieving these secrets. This comprehensive guide will delve into the functionalities of AWS Secrets Manager including creating and managing secrets and integrating Secrets Manager with other AWS services for secure access. By the end of this tutorial you will have a solid understanding of AWS Secrets Manager and how to leverage it for secure secret management in your cloud infrastructure.
Key Features
Secure Storage :- Secrets Manager encrypts secrets using AWS Key Management Service (KMS).
Automatic Rotation :- Automatically rotates secrets for supported AWS services without application downtime.
Fine-Grained Access Control :- Uses AWS Identity and Access Management (IAM) policies to control access to secrets.
Audit and Monitoring :- Integrates with AWS CloudTrail to log and monitor secret access and management activities.
Integrated with AWS Services :- Easily integrates with AWS services like Amazon RDS, Amazon Redshift and more.
Use Cases
Database Credentials :- Securely store and rotate database credentials.
API Keys :- Manage and secure API keys for third-party services.
Configuration Data :- Store sensitive configuration data securely.
OAuth Tokens :- Securely store and manage OAuth tokens.
Setting Up AWS Secrets Manager
Step 1 :- Creating a Secret
Sign in to the AWS Management Console and open the AWS Secrets Manager console.
Choose Store a new secret.
Select the secret type :-
- For this example select Credentials for RDS database.
Enter the secret details :-
Username : admin
Password : mypassword
Database : Choose your database from the list.
Example JSON configuration :-
{
"username": "admin",
"password": "mypassword",
"engine": "mysql",
"host": "mydb.cluster-xyz.us-west-2.rds.amazonaws.com",
"port": 3306,
"dbname": "mydatabase"
}
Encryption Key : Use the default AWS managed key or select a custom key.
Choose Next.
Step 2 :- Configuring Secret Rotation
Enable automatic rotation and specify the rotation interval (e.g. 30 days).
Select a Lambda function to handle the rotation. If you don’t have one you can create a new function :-
- Create a new Lambda function based on the provided template for the secret type.
Step 3 :- Specifying Tags and Permissions
Add tags to organize and manage your secrets.
Configure permissions :-
- Define which IAM roles and users can access or manage the secret.
Step 4 :- Storing the Secret
Review the secret details.
Choose Store to save the secret.
Managing Secrets
Retrieving a Secret
You can retrieve secrets programmatically using AWS SDKs or the AWS CLI.
Using AWS CLI
aws secretsmanager get-secret-value --secret-id my-database-secret --query SecretString --output text
Using AWS SDK (Python Example)
import boto3
import json
def get_secret():
secret_name = "my-database-secret"
region_name = "us-west-2"
# Create a Secrets Manager client
client = boto3.client('secretsmanager', region_name=region_name)
# Retrieve the secret
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
secret = get_secret_value_response['SecretString']
return json.loads(secret)
secret = get_secret()
print(secret['username'])
print(secret['password'])
Updating a Secret
You can update secrets through the AWS Management Console, AWS CLI or AWS SDK.
Using AWS CLI
aws secretsmanager update-secret --secret-id my-database-secret --secret-string '{"username": "admin", "password": "newpassword"}'
Using AWS SDK (Python Example)
import boto3
def update_secret():
secret_name = "my-database-secret"
region_name = "us-west-2"
secret_value = {
"username": "admin",
"password": "newpassword"
}
# Create a Secrets Manager client
client = boto3.client('secretsmanager', region_name=region_name)
# Update the secret
client.update_secret(SecretId=secret_name, SecretString=json.dumps(secret_value))
update_secret()
Deleting a Secret
Deleting a secret is straightforward but should be done with caution. AWS Secrets Manager retains the secret for a recovery window (default is 30 days) before permanently deleting it.
Using AWS CLI
aws secretsmanager delete-secret --secret-id my-database-secret
Using AWS SDK (Python Example)
import boto3
def delete_secret():
secret_name = "my-database-secret"
region_name = "us-west-2"
# Create a Secrets Manager client
client = boto3.client('secretsmanager', region_name=region_name)
# Delete the secret
client.delete_secret(SecretId=secret_name, RecoveryWindowInDays=30)
delete_secret()
Integrating AWS Secrets Manager with AWS Services
Amazon RDS
To use Secrets Manager with Amazon RDS ensure that your database engine supports the integration.
Create a new secret for your RDS database as described in the setup steps.
Configure the RDS instance to use the secret for authentication.
Example :- Configuring RDS to Use Secrets Manager
aws rds modify-db-instance \
--db-instance-identifier mydbinstance \
--master-user-password arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret
AWS Lambda
You can use Secrets Manager to retrieve secrets in your Lambda functions securely.
Example :- Lambda Function to Retrieve Secret
import boto3
import json
def lambda_handler(event, context):
secret_name = "my-database-secret"
region_name = "us-west-2"
# Create a Secrets Manager client
client = boto3.client('secretsmanager', region_name=region_name)
# Retrieve the secret
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
secret = get_secret_value_response['SecretString']
secret_dict = json.loads(secret)
# Use the secret in your Lambda function
db_username = secret_dict['username']
db_password = secret_dict['password']
return {
'statusCode': 200,
'body': json.dumps('Secrets retrieved successfully!')
}
AWS ECS
You can use Secrets Manager with ECS to inject secrets into your containerized applications.
Example :- ECS Task Definition with Secrets Manager
{
"family": "my-ecs-task",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "my-app-container",
"image": "my-app-image",
"essential": true,
"secrets": [
{
"name": "DB_USERNAME",
"valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret:username"
},
{
"name": "DB_PASSWORD",
"valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-database-secret:password"
}
]
}
]
}
Best Practices for Managing Secrets
Enable Automatic Rotation
Automatic rotation helps ensure that secrets are regularly updated without manual intervention. Configure Lambda functions to handle the rotation process and avoid application downtime.
Use IAM Policies for Access Control
Define IAM policies to control access to secrets based on the principle of least privilege. Ensure that only authorized roles and users can access or manage secrets.
Audit and Monitor Secret Access
Enable AWS CloudTrail to log all activities related to secrets. Regularly review these logs to detect any unauthorized access or suspicious activity.
Encrypt Secrets
Secrets Manager automatically encrypts secrets using AWS KMS. Ensure that you use strong encryption keys and manage them properly.
Regularly Review and Update Secrets
Regularly review the secrets stored in Secrets Manager to ensure they are up-to-date and still required. Remove any outdated or unnecessary secrets to reduce the attack surface.
Example :- Secure API Key Management
Consider a scenario where you need to manage an API key for a third-party service securely.
Step 1 :- Storing the API Key
Open the Secrets Manager console and choose Store a new secret.
Select Other type of secret.
Enter the secret key-value pairs :-
Key : api_key
Value : your_api_key_here
Name the secret (e.g. my-api-key-secret).
Store the secret.
Step 2 :- Retrieving the API Key in an Application
Using AWS SDK (Python Example)
import boto3
import json
def get_api_key():
secret_name = "my-api-key-secret"
region_name = "us-west-2"
# Create a Secrets Manager client
client = boto3.client('secretsmanager', region_name=region_name)
# Retrieve the secret
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
secret = get_secret_value_response['SecretString']
secret_dict = json.loads(secret)
return secret_dict['api_key']
api_key = get_api_key()
print(api_key)
Conclusion
AWS Secrets Manager provides a robust solution for securely managing and retrieving secrets in your cloud environment. By leveraging its features such as automatic rotation, fine-grained access control and integration with other AWS services you can enhance the security and compliance of your applications. This guide covered the basics of AWS Secrets Manager including creating and managing secrets, integrating with AWS services and best practices for secure secret management. With these insights you can effectively manage sensitive information and protect your cloud infrastructure from unauthorized access.
Stay tuned for more insights in our upcoming blog posts.