Part One: AWS Secrets Manager!

Imagine you’re looking to build a service or application which connects to an external service via access keys, or credentials. How do you plumb those into your application?

  • Hard code them?
  • Keep them external and add them when you bake the service?
  • Don’t bother and quit making your amazing app?

Hardcoding them is a terrible idea, changing them becomes a chore if they’re ever compromised as you’d need to roll everything in your stack that consumes them. Plus they’d probably be checked into your repo, and if anyone gets a hold of that, they’ve got your keys.

Baking them into your service when you do docker build, or make your service image is a little bit better, but would require you to do a full rebuild of the service if the keys are ever compromised or you need to cycle the credentials.

Don’t bother and quit making your app/service is the cowards way out, you should totally make your amazing application.

I’ve got a better way though. You should put them into AWS Secrets Manager! AWS Secrets Manager is a way to keep your secrets safe, and away from prying eyes. They’re encrypted and only accessible by the role you give to your instance/container. No stealing them from your repos, or losing your post it note of credentials. Plus the added benefit of rolling your keys by literally updating one location, and restarting your container/service.

Putting them secrets into AWS Secrets Manager is as easy as an API call to the managed service via the AWS CLI.

aws secretsmanager create-secret --name MyTestDatabaseSecret \
    --description "My test database secret created with the CLI" \
    --secret-string file://mycreds.json

This will generate an ARN for the secret, which you would use in your application in place of the actual value.

NOTE: secrets can be stored as “plain text” rather than a JSON blob if you’re only storing one value. The secret is still encrypted by KMS. You can also add an expiry date for the secret if you want to frequently cycle them, or leave them indefinitely.