๐Ÿชด Quartz 4.0

Search

SearchSearch

AWS Secrets Manager

Jun 02, 20242 min read

AWS Secrets Manager

  • Newer service, meant for storing secrets
  • Capability to force rotation of secrets every X days
  • Automate generation of secrets on rotation (uses Lambda)
  • Integration with RDS
  • Secrets are encrypted using KMS
  • Mostly meant for RDS integration

Multi-Region Secrets

  • Replicate Secrets across multiple AWS Regions
  • Secrets Manager keeps read replicas in sync with the primary Secret
  • Ability to promote a read replica Secret to a standalone Secret

Using Secrets Manager with Python

class GetSecretWrapper:
    def __init__(self, secretsmanager_client):
        self.client = secretsmanager_client
 
 
    def get_secret(self, secret_name):
        """
        Retrieve individual secrets from AWS Secrets Manager using the get_secret_value API.
        This function assumes the stack mentioned in the source code README has been successfully deployed.
        This stack includes 7 secrets, all of which have names beginning with "mySecret".
 
        :param secret_name: The name of the secret fetched.
        :type secret_name: str
        """
        try:
            get_secret_value_response = self.client.get_secret_value(
                SecretId=secret_name
            )
            logging.info("Secret retrieved successfully.")
            return get_secret_value_response["SecretString"]
        except self.client.exceptions.ResourceNotFoundException:
            msg = f"The requested secret {secret_name} was not found."
            logger.info(msg)
            return msg
        except Exception as e:
            logger.error(f"An unknown error occurred: {str(e)}.")
            raise
  • Other type key-value pair ๋กœ ์ €์žฅ ์‹œ get_secret_value_response ๋Š” json ํ˜•์‹์˜ String ์ด ๋ฐ˜ํ™˜๋จ
  • json.loads() ๋กœ dictionary ๋กœ ์ „ํ™˜ํ•ด ์‚ฌ์šฉ ๊ฐ€๋Šฅ
  • ๋ฌผ๋ก  Lambda ์— ํ• ๋‹น๋œ IAM Role ์— GetSecrets permission ์„ ์ ์šฉํ•ด์•ผ ํ˜ธ์ถœ ๊ฐ€๋Šฅ

AWS-Parameters-and-Secrets-Lambda-Extension

  • AWS Secrets Manager ๋Š” API ํ˜ธ์ถœ ๋งˆ๋‹ค ๋น„์šฉ์ด ๋ฐœ์ƒํ•จ
  • 1M per 5USD ๋กœ ์ €๋ ดํ•ด์„œ ํ˜ธ์ถœ์ด ๋งŽ์ด ๋ฐœ์ƒํ•˜์ง€ ์•Š๋Š” ๊ฒฝ์šฐ ๋น„์šฉ์„ ๊ฐ์ˆ˜ํ•ด๋„ ๋ฌด๊ด€
  • ํ˜ธ์ถœ์ด ๋งŽ์€ ์„œ๋น„์Šค ๊ฐœ๋ฐœ ์‹œ Lambda Layer ์—์„œ ํ•ด๋‹น Extension ์„ ํ†ตํ•ด ํ˜ธ์ถœํ•œ secrets ๋ฅผ ์บ์‹ฑํ•˜์—ฌ ์‚ฌ์šฉ ๊ฐ€๋Šฅ + ์‘๋‹ต์†๋„ ํ–ฅ์ƒ ์—ญ์‹œ ์ด์ ์œผ๋กœ ์ฑ™๊ธธ ์ˆ˜ ์žˆ์Œ

References

Graph View

Backlinks