Categories
AWS
How to Efficiently Manage Local Secrets Using AWS Secrets Manager

How to Efficiently Manage Local Secrets Using AWS Secrets Manager

September 23, 2023

image

When sharing secrets locally within a company, it’s common to exchange them via messengers like Slack or KakaoTalk.

The reasons often include:

  1. The need to update existing local secrets due to changes
  2. Setting up initial secrets for new hires

This method leaves sensitive secret information on shared channels like messengers and isn’t optimal from various security perspectives.

AWS Secret Generator

So, I created a simple CLI tool using Golang. It pulls secrets stored in AWS Secrets Manager through a straightforward CLI interface and can fetch them as files locally.

Usage

Preparation

  • It is assumed that AWS Access Key ID and AWS Secret Access Key are shared in advance.

  • AWS Secrets Manager Setup

    • First, go to Secrets Manager and set up the configurations. In that section, select ‘Store a new secret.’
    • Choose the type of secret. Considering scenarios like setting up a complex config with various settings, I set up a different type of secret. (If you want to set up a specific secret related to AWS services, you can choose another type of secret.)
    • Click on the plain text format tab, copy and paste your current local secrets file to create it.
      • You can also force it into JSON format using key-value pairs.
      • I assumed using simple secrets like hello: world in yaml format.
        • When setting up the actual config, ensure it is operable from local settings.
    • Input the secret name and description. The secret name becomes the key you’ll select in the subsequent cli program process, so remember it well.
    • Decide if you will periodically rotate the set secrets with other secrets. I assumed not using this feature, so it was not set.
    • Your secret will be generated when you click the save button in the next step.

  • Follow the instructions in the repository below for the overall CLI installation.

  • Using aws-secret-gen

    • Enter the following in the command line:
    $ aws-secret-gen -o test-config.yaml{file path to save}
    • Then a window will appear to set AWS Access Key ID, Secret Access Key, and Region.
      • Enter the prepared keys and region.
      >  Enter AWS Access Key ID: {prepared AWS Access Key ID}
>  Secret AWS Secret Access Key: {prepared AWS Secret Access Key}
>  Enter AWS Region: {AWS Region key: if Seoul, ap-northeast-2}
    • A list of secrets will then appear. Fetch the secret you created.
    Use the arrow keys to navigate: ↓ ↑ → ←
? Select Secret:
  ...
  ▸ test-config
    • Press enter, and you can confirm that the secret has been successfully created at your specified path.
    $ cat ./test-config.yaml
> hello: world
Managing Config Files in AWS Using AWS Secrets ManagerAutomatically Start and Stop AWS ECS Services via Github Actions