How To Replicate Secrets In AWS Secret Manager
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In today’s blog post, we will discuss how to replicate secrets from one region to another in AWS Secret Manager. If you are building a multi-region application and need to store your application secrets in AWS secret manager, you can use AWS Secret Manager secret replication feature to replicate the secrets from one source region to multiple target regions. The replication happens almost real-time and should not impact your secondary region applications when you rotate the secrets in the primary region.
How To Replicate Secrets In AWS Secret Manager:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create a new KMS key in the primary region. This key will be used to encrypt your secrets in the primary region.
1 2 3 4 5 |
## Create a new KMS key in the primary region APAC_KMS_KEY_ARN=$(aws kms create-key \ --tags TagKey=Purpose,TagValue=SecretEncryption \ --region ap-south-1 \ --description "Used to encrypt secrets in AWS SM" | jq -r .KeyMetadata.Arn) |
Step 2: Create a new secret in primary region secret manager.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
## Create a new secret in primary region aws secretsmanager create-secret \ --name myapp/production \ --secret-string '{ "username": "debjeet", "password": "gst4%4z[{&" }' \ --kms-key-id $APAC_KMS_KEY_ARN \ --description "Secrets for my application" \ --tags 'Key=Name,Value=myappsecret' \ --region ap-south-1 ## Get secret details in primary region aws secretsmanager describe-secret \ --secret-id myapp/production \ --region ap-south-1 |
Before we enable secret replication between primary and secondary region secret manager, we need to create a new KMS key in the secondary region to encrypt the secret in secondary region.
Step 3: Create a new KMS key in secondary region.
1 2 3 4 5 |
## Create a new KMS key in the secondary region US_KMS_KEY_ARN=$(aws kms create-key \ --tags TagKey=Purpose,TagValue=SecretEncryption \ --region us-east-1 \ --description "Used to encrypt secrets in AWS SM" | jq -r .KeyMetadata.Arn) |
Step 4: Configure secret replication between primary and secondary region.
1 2 3 4 5 6 |
## Replicate the secret in secondary region aws secretsmanager replicate-secret-to-regions \ --secret-id myapp/production \ --add-replica-regions "Region=us-east-1,KmsKeyId=$US_KMS_KEY_ARN" \ --force-overwrite-replica-secret \ --region ap-south-1 |
Note: You can replicate secrets in multiple secondary regions.
Step 5: Validate if the secret is replicated to the secondary region.
1 2 3 4 5 6 7 8 9 |
## List all the secrets in secondary region aws secretsmanager list-secrets \ --region us-east-1 ## Get secret value from AWS secret manager aws secretsmanager get-secret-value \ --secret-id myapp/production \ --version-stage AWSCURRENT \ --region us-east-1 |
Next, we are going to update the secret in the primary region. The update should get replicated to the secondary region in near real time.
Step 6: Update the secret in primary region.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
## Update secret in AWS secret manager aws secretsmanager update-secret \ --secret-id myapp/production \ --secret-string '{ "host": "myapp.cloudaffaire.com", "port": "8888", "username": "debjeet", "password": "fr%#76jh0[[6", "dbname": "mydb", "engine": "mssql" }' \ --description "updated secret for cloudaffaire SM demo" \ --region ap-south-1 |
Step 7: Validate if the update is successfully replicated to the secondary region.
1 2 3 4 5 6 7 8 9 10 11 |
## Get secret version details in secondary region aws secretsmanager list-secret-version-ids \ --secret-id myapp/production \ --include-deprecated \ --region us-east-1 ## Get current version secret value in secondary region aws secretsmanager get-secret-value \ --secret-id myapp/production \ --version-stage AWSCURRENT \ --region us-east-1 |
We have successfully created secret replication and also tested if the replication works. Next, we are going to delete all the resources deployed in this demo to avoid any additional cost.
Step 8: Clean up.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
## Stop the replication in secondary region aws secretsmanager stop-replication-to-replica \ --secret-id myapp/production \ --region us-east-1 ## Delete the secrets in both regions aws secretsmanager delete-secret \ --secret-id myapp/production \ --force-delete-without-recovery \ --region ap-south-1 && aws secretsmanager delete-secret \ --secret-id myapp/production \ --force-delete-without-recovery \ --region us-east-1 ## Schedule the KMS key for deletion in both the regions aws kms schedule-key-deletion \ --key-id $APAC_KMS_KEY_ARN \ --region ap-south-1 \ --pending-window-in-days 7 && aws kms schedule-key-deletion \ --key-id $US_KMS_KEY_ARN \ --region us-east-1 \ --pending-window-in-days 7 |
Hope you have enjoyed this article. To know more about AWS Secret Manager, please refer below official documentation
https://docs.aws.amazon.com/secretsmanager/index.html