AWS Secret Manager is a service to keep secrets in AWS safely and access them as needed. Think about it as 1Password. AWS Secret Manager can be seen as the Vault by HashiCorp alternative. While Vault is open source and can be used free of charge, except setting up and maintenance cost, AWS Secret Manager is a proprietary product. And it costs $0.40 per secret per month. And an additional $0.05 per 10K API calls. But all and all it makes sense to use it if the entire stack is hosted on AWS and the team doesn’t want to maintain Vault. In this article, I go through how to getting started with Secret Manager. For that, we are going to add a dummy database credentials to the Secret Manager and pull it using AWS CLI.
Adding database credentials to AWS Secret Manager
The first thing you need to do is to log in to your AWS Management Console, this link.
After that navigate to the main page and look for Secrets Manager
.
The next step is to create a new secret. For that click on Store a new secret
.
Now, we have to chose what type of secret we want to store. For this example, we want to store DB credentials but the database itself is not hosted in AWS. So we have to select Credentials for other databases
.
Fill up database username
and password
and scroll down. Select the database type, for example, MySQL, and add the needed information.
Then click next and provide the secret name
and a description
and click next again.
Note: After creating the secret you still can change all details, except secret name
, so name it wisely! It’s a good idea to use the API path convention for secret names. For example, /secret/service-name/environment/name
.
If you have a Lambda function to rotate the credentials, this is the place to configure. Otherwise, just select the first option and click next again.
Review the details and click on the store.
Configuring AWS CLI (optional)
In this step, I go through configuring AWS CLI. If you have already done it feel free to skip.
Having AWS CLI is necessary to proceed to the next step, so make sure, you have everything set up. Download and install the AWS CLI from this link.
If you don’t have your AWS ACCESS KEY
and AWS SECRET KEY
don’t worry. You can create one by clicking on your profile and selecting My Security Credentials
.
From there go to Access Key
and click on Create New Access Key
. Download and store it in a safe place. Let’s make good use of them now.
To configure the AWS CLI, type aws configure
and enter access key
, secret key
, and region
.
Alternatively, you can export the following three environment variables,
$ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY
$ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_KEY
$ export AWS_REGION=YOUR_ACCOUNT_REGION
Read the credentials with AWS CLI
After creating the secret, it’s time to read the credentials from local using AWS CLI. For that type the following command,
$ aws secretsmanager get-secret-value --secret-id local-test
You should be able to see the details of the secret you created.
Inline/featured images credits
- Safe background image by Gabriel Wasylko on Unsplash
- AWS Webservices logo on Wikimedia