It's a Secret!

AWS Secrets Manager is a handy tool that you can use to store your credentials, secrets or sensitive information to be used in your applications.

Read Now

Donnie Prakoso
Developer, self-proclaimed barista and cafe racer enthusiast. This blog is a collection of my writings on technology.
Published
Sunday, May 27, 2018
Info
views
Category
article
Translations

When it comes to building application, it seems that our codes are bounded to secrets, like database credentials or API keys. More and more, we keep on integrating our applications to other systems and this also means that we have to store the API keys for respective service in our applications. The more integrations we have, the more secrets we store. It’s inevitable.

Actually, there are few options…

…on how we can store secrets. First and the most primitive way, we can hardcode those secrets.1, or in a more elegant way is to put all secrets into a separated configuration file(s). Placing secrets in the configuration file(s) wouldn’t do any better, though. It might help you to organize your secrets, but your system still poses a potential risk.

A more preferred approach is to place those secrets in ENV_VAR. At first, I thought this is really nice to put all secrets in ENV_VAR. I only need to create a simple bash script and put it on init script so everytime I spin a new instance, it will get those secrets from ENV_VAR automatically. Amazing!

But…

A headache comes when we need to update those secrets or even when we rotate them. I had this issue a few years ago when I had to update 80-ish microservices for database passwords that were rotated and also new API keys for social media integration. It was super boring.

Wait, we are engineers, why don’t we…

Build a service that can lookup secrets for authenticated and authorized calls? Good idea… (again) at first. We can also create a service that implements SRP and JWS, so we can securely exchange passwords for clients. But to think about it, this service will grow exponentially as we keep on adding features to our product. These features will make operations call and it depends on this service. The imbalance of benefits and efforts (more on the efforts), just didn’t make a good equation for me.

By far, the best approach to handle secrets is to programatically retrieve encrypted secret values at application runtime. The basic idea is we don’t have to store any secrets into our applications.

Fast Forward…

Two months ago, AWS launched AWS Secrets Manager which can help you to … guess what? Ditto! Manage your secrets.

For me, it’s a big deal, because I can centralize secrets, from API keys to database passwords into one single repository that I manage by myself and optionally using my own encryption keys. Let’s see how it looks like.

AWS CLI
All demos in this post are using AWS CLI, and if you don’t have it yet, you can follow this friendly instruction. If you want to jump straight to programmatic call you can use AWS SDK.

Intro to AWS SecretsManager

Let’s say that I want to list all of my secrets. At this stage, I don’t have any secrets yet, so I’m expecting the output from the following command is an empty JSON response.

$ aws secretsmanager list-secrets
{
    "SecretList": []
}

Looking good.

Let’s create a dummy secret and store it using AWS Secrets Manager.

create-secret --name "demo-create" --tags '[{"Key":"mode","Value":"demo"}]' --secret-string '[{"Key":"example 1","Value":"hello"}]'
{
    "ARN": "xxx",
    "Name": "demo-create",
    "VersionId": "58e3d142-b2dd-4347-876d-bc79474c7390"
}

That command created a new secret and on top of that, you will see the VersionId of your secret. This way, AWS Secrets Manager not only will store your secret but it will give you the flexibility to maintain versioning of your secrets.

Now, how about retrieving the secret? Actually, this operation is what we will use in our applications.

aws secretsmanager get-secret-value --secret-id demo-create

{
    "ARN": "xxx",
    "Name": "demo-create",
    "VersionId": "58e3d142-b2dd-4347-876d-bc79474c7390",
    "SecretString": "[{\"Key\":\"example 1\",\"Value\":\"hello\"}]",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1527877574.331
}
Nice! Now we can store and retrieve our secrets easily.

A Tip for You!
If you create your secret using dashboard, there is working code example that you can easily implement into your applications.

Wrap Up

AWS Secrets Manager helps us to securely encrypt, store, and retrieve credentials, starting from database passwords to SSH key, in JSON format or even a simple key-value based in a scalable way. There are more features beyond what described in this post, starting from rotating passwords and versioning with staging labels.

By the way, if you’re speaking in Go language and looking to work with AWS Secrets Manager, I’ve created a really simple working demo in Go. You can find it in my Github repo here.

Having secrets is inevitable in our development universe

As for now, I’ve stored all my API keys, starting from Facebook, Twitter, Unsplash to SSH keys. It’s time for me to focus on building apps rather than to struggle with these secrets. I hope it helps you as well.

Go build!


  1. Don’t do this. Seriously, don’t. [return]
Like this article?
Give this article a love or you can share this article with others.
Read Next
Quick Start: Build & Deploy Your Application with AWS Fargate

Read More
Previously
Being Evangelist at AWS

A big update! I'm starting a new journey with a new role as Technology Evangelist at AWS.

Read More

Published
Sunday, May 27, 2018
Info
views
Category
article
Translations

Donnie Prakoso
Developer, self-proclaimed barista and cafe racer enthusiast. This blog is a collection of my writings on technology.

Codes & Notes. by Donnie Prakoso
© @donnieprakoso · 2019