How To Manage Secrets In AWS Secret Manager Using API
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In today’s blog post, we will discuss how to manage secrets in AWS secret manager using API. AWS Secret Manager enables you to store, retrieve, delete and rotate a secret for your application programmatically. AWS Secret Manager also supports encryption and secret versions to further enhance your secret management requirements. You can also use other AWS service like AWS Config or CloudWatch and CloudTrail for monitoring and logging of the secrets in AWS Secret Manager.
How To Manage Secrets In AWS Secret Manager Using API:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a new secret with default encryption in AWS secret manager using AWS CLI.
|
1 2 3 4 5 6 7 8 9 |
## Create a new secret in AWS secret manager aws secretsmanager create-secret \ --name myapp/myappsecret \ --secret-string '{ "username": "debjeet", "password": "gst4%4z[{&" }' \ --description "secret for cloudaffaire SM demo" \ --tags 'Key=Name,Value=myappsecret' |
Note: By default, if you don’t provide a KMS key during the secret creation, AWS encrypts the secret with default encryption key. If you want to encrypt the secret with your own KMS key, then you need to pass the KMS key with –kms-key-id parameter above.
Step 2: Get the newly created secret details.
|
1 2 3 4 5 6 |
## List all the secrets aws secretsmanager list-secrets ## Get secret details aws secretsmanager describe-secret \ --secret-id myapp/myappsecret |
Observe, though we get the secret details like secret version, creation date etc. we are yet to get the actual secret value that we have stored which we will do next.
Step 3: Get the secret value from AWS secret manager using AWS CLI.
|
1 2 3 4 5 6 7 8 9 |
## Get secret version details aws secretsmanager list-secret-version-ids \ --secret-id myapp/myappsecret \ --include-deprecated ## Get secret value from AWS secret manager aws secretsmanager get-secret-value \ --secret-id myapp/myappsecret \ --version-stage AWSCURRENT |
Note: A secret has versions which hold copies of the encrypted secret value. When you change the secret value, or the secret is rotated, Secrets Manager creates a new version. A secret always has a version with the staging label AWSCURRENT, which is the current secret value. During rotation, Secrets Manager uses staging labels to indicate the different versions of a secret:
- AWSCURRENT indicates the version that is actively used by clients. A secret always has an AWSCURRENT version.
- AWSPENDING indicates the version that will become AWSCURRENT when rotation completes.
- AWSPREVIOUS indicates the last known good version, in other words, the previous AWSCURRENT version.
Next, we are going to update this secret with a new secret value.
Step 4: Update a secret in AWS secret manager using AWS CLI.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
## Update secret in AWS secret manager aws secretsmanager update-secret \ --secret-id myapp/myappsecret \ --secret-string '{ "host": "myapp.cloudaffaire.com", "port": "8888", "username": "debjeet", "password": "fr%#76jh0[[6", "dbname": "mydb", "engine": "mssql" }' \ --description "updated secret for cloudaffaire SM demo" ## Get secret version details aws secretsmanager list-secret-version-ids \ --secret-id myapp/myappsecret \ --include-deprecated ## Get current version secret value aws secretsmanager get-secret-value \ --secret-id myapp/myappsecret \ --version-stage AWSCURRENT ## Get previous version secret value aws secretsmanager get-secret-value \ --secret-id myapp/myappsecret \ --version-stage AWSPREVIOUS |
We have successfully created and updated a secret in AWS secret manager using AWS CLI.
You can also retrieve the secret value from AWS management console by clicking on the “Retrieve secret value” button.
Step 5: Delete a secret in AWS secret manager using AWS CLI.
|
1 2 3 4 |
## Delete the secret aws secretsmanager delete-secret \ --secret-id myapp/myappsecret \ --force-delete-without-recovery |
Hope you have enjoyed this article. To know more about AWS Secret Manager, please refer below official documentation
https://docs.aws.amazon.com/secretsmanager/index.html