Getting started with AWS Secret Manager

Getting started with AWS Secret Manager

AWS Secret Manager is a service to keep secrets in AWS safely and access them as needed. Think about it as 1Password. AWS Secret Manager can be seen as the Vault by HashiCorp alternative. While Vault is open source and can be used free of charge, except setting up and maintenance cost, AWS Secret Manager is a proprietary product. And it costs $0.40 per secret per month. And an additional $0.05 per 10K API calls. But all and all it makes sense to use it if the entire stack is hosted on AWS and the team doesn’t want to maintain Vault. In this article, I go through how to getting started with Secret Manager. For that, we are going to add a dummy database credentials to the Secret Manager and pull it using AWS CLI.

Adding database credentials to AWS Secret Manager

The first thing you need to do is to log in to your AWS Management Console, this link.

After that navigate to the main page and look for Secrets Manager.

AWS Management Console

The next step is to create a new secret. For that click on Store a new secret.

AWS Secret Manager secret creation

Now, we have to chose what type of secret we want to store. For this example, we want to store DB credentials but the database itself is not hosted in AWS. So we have to select Credentials for other databases.

AWS Secret Manager db selection

Fill up database username and password and scroll down. Select the database type, for example, MySQL, and add the needed information.

Then click next and provide the secret name and a description and click next again.

AWS Secret Manager naming convention

Note: After creating the secret you still can change all details, except secret name, so name it wisely! It’s a good idea to use the API path convention for secret names. For example, /secret/service-name/environment/name.

If you have a Lambda function to rotate the credentials, this is the place to configure. Otherwise, just select the first option and click next again.

AWS Secret Manager rotation

Review the details and click on the store.

Configuring AWS CLI (optional)

In this step, I go through configuring AWS CLI. If you have already done it feel free to skip.

Having AWS CLI is necessary to proceed to the next step, so make sure, you have everything set up. Download and install the AWS CLI from this link.

If you don’t have your AWS ACCESS KEY and AWS SECRET KEY don’t worry. You can create one by clicking on your profile and selecting My Security Credentials.

AWS My Security Credentials

From there go to Access Key and click on Create New Access Key. Download and store it in a safe place. Let’s make good use of them now.

Download Security token

To configure the AWS CLI, type aws configure and enter access key, secret key, and region.

Alternatively, you can export the following three environment variables,

$ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY
$ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_KEY
$ export AWS_REGION=YOUR_ACCOUNT_REGION

Read the credentials with AWS CLI

After creating the secret, it’s time to read the credentials from local using AWS CLI. For that type the following command,

$ aws secretsmanager get-secret-value --secret-id local-test

You should be able to see the details of the secret you created.

Inline/featured images credits