Ssst, Rahasia!

AWS Secrets Manager adalah sebuah layanan yang dapat kita gunakan untuk menyimpan credential, password, atau informasi sensitif yang digunakan di dalam aplikasi kita. Artikel ini mengulas secara singkat bagaimana cara penggunaannya.

Read Now

Donnie Prakoso
Developer, self-proclaimed barista and cafe racer enthusiast. This blog is a collection of my writings on technology.
Published
Sunday, May 27, 2018
Info
views
Category
article
Translations
English  

Di setiap development aplikasi, kode kita selalu berhubungan dengan secrets, seperti informasi koneksi ke database ataupun API keys. Selain itu, dari waktu ke waktu, kita mengintegrasikan aplikasi kita ke system lainnya dan ini berarti bahwa kita harus menyimpan API keys untuk setiap system tersebut ke dalam aplikasi kita. Semakin banyak integrasi yang kita miliki, semakin banyak secrets yang kita simpan. Hal ini adalah sesuatu yang tidak dapat dielakkan.

Actually, there are few options…

…tentang bagaimana kita bisa menyimpan secret-secret tersebut. Salah satu cara yang paling primitive adalah hardcode secret keys1, atau cara yang lebih elegan adalah dengan menampung semua secret tersebut di configuration file(s) yang berbeda. Menempatkan secret-secret tersebut ke dalam sebuah configuration file(s) mungkin tidak begitu oke juga. Mungkin itu memudahkan Anda untuk mengorganisir secret-secret tersebut, tetapi system Anda masih memiliki resiko yang sangat potensial.

Cara

A more preferred approach is to place those secrets in ENV_VAR. At first, I thought this is really nice to put all secrets in ENV_VAR. I only need to create a simple bash script and put it on init script so everytime I spin a new instance, it will get those secrets from ENV_VAR automatically. Amazing!

But…

A headache comes when we need to update those secrets or even when we rotate them. I had this issue a few years ago when I had to update 80-ish microservices for database passwords that were rotated and also new API keys for social media integration. It was super boring.

Wait, we are engineers, why don’t we…

Build a service that can lookup secrets for authenticated and authorized calls? Good idea… (again) at first. We can also create a service that implements SRP and JWS, so we can securely exchange passwords for clients. But to think about it, this service will grow exponentially as we keep on adding features to our product. These features will make operations call and it depends on this service. The imbalance of benefits and efforts (more on the efforts), just didn’t make a good equation for me.

By far, the best approach to handle secrets is to programatically retrieve encrypted secret values at application runtime. The basic idea is we don’t have to store any secrets into our applications.

Fast Forward…

Two months ago, AWS launched AWS Secrets Manager which can help you to … guess what? Ditto! Manage your secrets.

For me, it’s a big deal, because I can centralize secrets, from API keys to database passwords into one single repository that I manage by myself and optionally using my own encryption keys. Let’s see how it looks like.

AWS CLI
All demos in this post are using AWS CLI, and if you don’t have it yet, you can follow this friendly instruction. If you want to jump straight to programmatic call you can use AWS SDK.

Intro to AWS SecretsManager

Let’s say that I want to list all of my secrets. At this stage, I don’t have any secrets yet, so I’m expecting the output from the following command is an empty JSON response.

$ aws secretsmanager list-secrets
{
    "SecretList": []
}

Looking good.

Let’s create a dummy secret and store it using AWS Secrets Manager.

create-secret --name "demo-create" --tags '[{"Key":"mode","Value":"demo"}]' --secret-string '[{"Key":"example 1","Value":"hello"}]'
{
    "ARN": "xxx",
    "Name": "demo-create",
    "VersionId": "58e3d142-b2dd-4347-876d-bc79474c7390"
}

That command created a new secret and on top of that, you will see the VersionId of your secret. This way, AWS Secrets Manager not only will store your secret but it will give you the flexibility to maintain versioning of your secrets.

Now, how about retrieving the secret? Actually, this operation is what we will use in our applications.

aws secretsmanager get-secret-value --secret-id demo-create

{
    "ARN": "xxx",
    "Name": "demo-create",
    "VersionId": "58e3d142-b2dd-4347-876d-bc79474c7390",
    "SecretString": "[{\"Key\":\"example 1\",\"Value\":\"hello\"}]",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1527877574.331
}
Nice! Now we can store and retrieve our secrets easily.

A Tip for You!
If you create your secret using dashboard, there is working code example that you can easily implement into your applications.

Wrap Up

AWS Secrets Manager helps us to securely encrypt, store, and retrieve credentials, starting from database passwords to SSH key, in JSON format or even a simple key-value based in a scalable way. There are more features beyond what described in this post, starting from rotating passwords and versioning with staging labels.

By the way, if you’re speaking in Go language and looking to work with AWS Secrets Manager, I’ve created a really simple working demo in Go. You can find it in my Github repo here.

Having secrets is inevitable in our development universe

As for now, I’ve stored all my API keys, starting from Facebook, Twitter, Unsplash to SSH keys. It’s time for me to focus on building apps rather than to struggle with these secrets. I hope it helps you as well.

Go build!


  1. Don’t do this. Seriously, don’t. [return]
Like this article?
Give this article a love or you can share this article with others.
Read Next
Quick Start: Build & Deploy Aplikasi dengan AWS Fargate

Serverless atau containers? Bagaimana kalau keduanya digabung? Artikel ini menjelaskan secara bertahap bagaimana menjalankan container-based apps secara serverless, dengan AWS Fargate.

Read More
Published
Sunday, May 27, 2018
Info
views
Category
article
Translations

Donnie Prakoso
Developer, self-proclaimed barista and cafe racer enthusiast. This blog is a collection of my writings on technology.

Codes & Notes. by Donnie Prakoso
© @donnieprakoso · 2019