AWS Secrets Manager makes it easier to work with access keys (such as databases) by storing them remotely and controlling access to them behind IAM permissions. This allows you to easily rotate the access keys and retrieve the latest one when needed.
What does Secrets Manager do?
Here is an example. Say you create a build script for your servers that automates your installation process, usually to use automatic scaling and automated distribution. You need to connect WordPress to an external MySQL server.
The simplest solution would be to store the MySQL password in plain text as part of the build script. This is obviously not the best practice for safety and does not go beyond a single instance run by a single employee. If you separate your dev and prod environments, this secret must be updated for each environment, which is a hassle.
The better solution is Secrets Manager. Instead of storing the MySQL password in plain text, you store it in Secrets Manager, and when you need to use it, you make an API call to Secrets Manager, which returns the secret. This allows you to secure access to your secrets using IAM roles and permissions, which is a much better system, and one that you already use if your company is on AWS.
Because Secrets Manager acts as a single authoritative data warehouse, it makes the rotation of secrets much easier, which is an important part of ongoing security.
Just to be clear ̵1; Secrets Manager does not automatically make handling important secrets trivial. At the end of the day, you still request sensitive information that will be stored on disk or in the memory of your server. Anyone who can access the server can still access the secret and you must have good IAM authorization policies to lock access. But without Secrets Manager, you would not be able to control this access at all using IAM, and you may have important keys stored elsewhere, such as easily accessible Git scratches.
Secrets Manager can be used to store all types of keys, including JSON. However, it is commonly used to store database references, and as such has built-in integration for RDS that can automatically configure and rotate references for you.
How to use Secrets Manager
Go to the Secrets Manager console and click “Store A New Secret.”
If you set a secret to store references for RDS, or any of AWS’s other DB services, you can select it as a type, enter your username and password, and select the database you want to use with this secret.
If you store something else, you want to select “Other Type of Secret.” If you store a series of key value pairs, you can enter them here, but if you have a more complex JSON schema, you can enter the whole thing as plain text under the “Plaintext” tab.
Click “Next” and give it a name and any tags you may want to add for organizational purposes.
On the next screen you have the option to configure automatic rotation. This will call a Lambda function that you select every month or so, and rotate the key to a new value. You probably want to set up your Lambda feature to flush the cache of your client applications, so they all need to retrieve the new secret.
Click “Next” and click “Store” to create the secret.
It’s pretty easy to access the secret. Provided that the AWS CLI has been installed and configured with a user or a role that has permission to retrieve the secret, you can access it with
secretsmanager get-secrete-value. This returns the JSON output, so you will probably lead to it
jq for processing.
aws secretsmanager get-secret-value --secret-id Confidential_Info | jq
This returns some metadata about your string as well as the string itself
SecretString parameter. It is encoded in a single string, but you can use
fromjson directive to return the actual JSON value on the string.
| jq '.SecretString | fromjson'
If you download secrets very often (while driving), you want to use a cache client page so that you do not send thousands of API requests every second. AWS provides some client-side libraries to work with Secrets Manager, but you can always implement it yourself in the language of your choice.
If you want to automate the creation of secrets, you can do so with
aws secretsmanager create-secret --name
Configure IAM Access
You want to set custom IAM policies to provide read access to individual secrets based on Amazon Resource Name (ARN). Create a new role from the IAM Management Console (or edit your existing EC2 instance) and add “Read” access for Secrets Manager.
Below you want to add an ARN to restrict access. Enter the secret ID and click “Add.”
Create the new policy, attach the role to your EC2 instance if necessary and test to verify that you only have access to the secret assigned to the policy.