Keeping Secrets with AWS Secrets Manager
Secrets management, audit, rotation, easy to use and cheap. AWS Secrets Manager
Whenever I think about a software that manages credentials, I try to keep in mind how I can manage my production credentials safe and easy to use. I confess that keeping the passwords safe, wasn’t always my first priority during software projects. I used to write the passwords in configuration properties (it is quite common in projects), and for a long time I believed that was “safe”, until someones introduced me Hashicorp Vault, a platform for "secrets" management and data protection.
Vault is simple to use, but you need to manage a server to run it as service. If you have a team to do this, awesome! But if you don’t, like me, you need to make sure that it will never be down or unavailable. Otherwise, all your application, which depends on that, will break down. In April, I got a better option with release of AWS Secrets Manager.
To move forward, I will assume that you have an AWS Account and AWS CLI knowledge. If you don’t, I suggest getting started here.
AWS Secrets Manager
In April, AWS released Secrets Manager service to manage, audit and rotate secrets. It is a simple AWS service that only costs $0.40 per secret per month with an additional of $0.05 per 10,000 API calls. It is almost free to keep your passwords safe, and the cheapest service to maintain and manage passwords.
Creating a secret
Moving forward inside AWS Management Console, select Secrets Manager service to create a new secret.
Inside Secrets Manager Console, select “store new secret”. Select the box “Other types of secrets” and configure a new secret as below.
With AWS CLI we can accomplish the same as above with the following command.
$ aws secretsmanager create-secret --name myamazingsupersecret --description "It is just a test" --secret-string file://mycreds.jsonInside mycreds.json we have a JSON object with the fields representing my credentials. Following our example our mycreds.json should have the following content:
{"apikey":"mysupersecret"}As you can see, we can add as many rows as we need and create three types of secrets. But for our purpose, we select “Other types of secrets” and move forward by clicking on the “Next” button. By clicking next we only set our secret's name, which will be used to find our secret inside our account. Let's name our secret as myamazingsupersecret. The next step is the rotation configuration that we skip it now.
At the final stage, we have the revision and samples of how we can get these credentials. I will use the GoLang example.
package mainimport (
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/secretsmanager"
"fmt"
)func main() {
sn := "myamazingsupersecret"
s := session.Must(session.NewSession())
sm := secretsmanager.New(s) output, err := sm.GetSecretValue(&secretsmanager.GetSecretValueInput{SecretId: &sn})
if err != nil {
panic(err.Error())
} fmt.Println(*output.SecretString)
}
This is a super simple way to get our secret and using it this way you need to configure your AWS Credentials before running the main above.
Auditing your secret
One of the Secrets Manager's feature is the audit of your secrets as cited by AWS:
(…) through integration with AWS logging, monitoring, and notification services. For example, after enabling AWS CloudTrail for an AWS region, you can audit when a secret is stored or rotated by viewing AWS CloudTrail logs. Similarly, you can configure Amazon CloudWatch to receive email messages using Amazon Simple Notification Service when secrets remain unused for a period, or you can configure Amazon CloudWatch Events to receive push notifications when Secrets Manager rotates your secrets.
Conclusion
Once again, AWS launched an incredible service to solve real applications' security problems and as you can see it is simple, easy to use and low cost. Certainly, we have optional softwares such as Vault, but at this point, we know the solid services that AWS provides can minimize damages on production during crises moments.
Give your feedback and suggestions about this article. It will be a pleasure to discuss. I hope you enjoyed!
