Keep your secrets to yourself | AWS Secret Manager
If you are building an application on AWS, you can use “AWS Secret Manager” to save information that you would need in your application. Like, Databases username-password, application details, client name, access tokens, etc.
Developers, end up saving these information on the server in a config file, which can be compromised if the config file is leaked. If the application is deployed on AWS lambda, it would be risky to save the information in the Environment variables.
If you want to run the same code on multiple environment, you can easily do that by just pointing the lambda to the correct secret in the environment variable.
What is Secret Manager?
Secret Manager is secure storage system sensitive data. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hard-code sensitive information in plain text.
Let’s build an application like i have mentioned above.
Steps:
- Create a secret in secret manager
- Create a lambda function and connect it with secret manager
- Add environment variable in lambda function
1. Create a secret:
Go to Secret Manager, and click on “Store a new secret”.
There are various types of secrets you can store specifically for various AWS services like RDS, Document DB, or your own database on other cloud or on-premise.
In this example we will create a secret of type “Other”, where we can store any information in key-value pairs.
You can then add values in the below text box like this. Below which you can select how you want your secret to be encrypted. You can use a key provided by AWS Secret Manager or create your own key. After selecting the key, click on Next.
On the next page, you can give the name to your secret. There is an option to replicate the secret in many regions. After which, click on Next.
On the next page, you can set to rotate your secrets at a scheduled time. Although it is a optional field, it is best to have automatic rotations turned on. Rotation reduces the risk from leaving credentials unchanged for long periods of time.
On the next page, you can review your secret, and click on “store”.
You have now created your secret. Let’s use this in a python code.
Create a Lambda Function
Create a Lambda function and add the below code
import json
import boto3
import osdef lambda_handler(event, context):
secret = boto3.client("secretsmanager", region_name='us-east-1')
secret_value = secret.get_secret_value(SecretId=os.environ["client_env"])
secret_value = json.loads(secret_value["SecretString"])
print(secret_value)return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
Here we are getting the value of secret from the environment variable. Check the below image to set the environment variable.
The benefit of using the environment variable is, that we can just change the variable and run the same code on completely different environments.