You Don’t Have to Be a Big Corporation to Start Using AWS Secrets Manager
Many programmers use public code repositories like GitHub.com, to host their code. Moreover, it is great to have your code published on GitHub when you are creating a portfolio for your future employers. But what to do with passwords from your projects? How to work on a project with your small but inspired team and easily but safely share credentials like database accounts, API tokens? Saving passwords inside of your code is a way to lose your money. But enterprise-level key-pair managers, e.g. AWS Secrets Manager, are too complicated and expensive for small teams, right?
Well, the answer is no. Using AWS Secrets Manager is not harder than buying a coffee for your office and sometimes cheaper than it! You will know how to use it easily in your project and keep your sensitive information safe after spending just 5 minutes on this article.
At first, we will create a new secret in Secrets Manager. You can read additional information about this service here, but we are going to learn how it works in practice. Start with going to your AWS Console, look for the link to the Secrets Manager in services, and go to it. This will bring you to Secrets Manager:
Click on the “Store a new secret”. We will go through the 4 steps here. The first step is for entering the sensitive information we want to store. Let’s say we want to save some API token
123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11Choose “Other type of secrets”, choose a key for a token, i.e. ‘token’, and enter the token itself in the second field:
Enter the name of your secret which will be used in your code for receiving this secret. Also, you could provide a description and tags for your secret on this step and set additional resource policy:
You might want to create a Lambda function in the future which would connect to your secured services, request new credentials, and update secrets in Secrets Manager. This will add additional protection to your services without the necessity of updating passwords and other sensitive information in your codebase. All you need at this step is to select a rotation interval and choose a Lambda function for this operation:
And here are a review of the settings you did before and some code examples. Let’s look at them:
Now it is time to set up permissions for this new secret. Go to the IAM service, click on Policies->Create policy. Search for Secrets Manager in services, and add GetSecretValue to Actions:
Add ARN from your secret in the Resources area. You can find it at Secret details in Secrets Manager:
Now attach your new policy to a group, role, or a particular user. After that, go to your user and click on the “Security Credentials tab”. Create a new pair of Access Key ID and Secret Access Key with the “Create access key” button. Save them for the next step:
Now you should install the AWS command-line interface (CLI). There are several ways to install it, but I prefer the pip package manager for Python. Open a command line (cmd.exe, bash, etc. — depending on your operating system) and install awscli package with Python pip package manager and open awscli configuration after:
python -m pip install awscli
aws configureYou will be asked for AWS Access Key ID and Secret Access Key that you have generated before in the AWS IAM.
That’s it. Now your secret is in a safe place, it can be accessed anywhere in your code like this:
