Secret Manager

Document |

Overview

What are secrets?

• help you manage, retrieve, or rotate secrets, such as

  • application credentials

  • OAuth tokens

  • API keys

  • database credentials (RDS, DocumentDB, Redshift cluster, etc.)

{
  "host"       : "ProdServer-01.databases.example.com",
  "port"       : "8888",
  "username"   : "administrator",
  "password"   : "EXAMPLE-PASSWORD",
  "dbname"     : "MyDatabase",
  "engine"     : "mysql"
}

Other types of secret

Type	Service
AWS Credentials	IAM
Encryption keys	AWS Key management service
SSH	EC2 Instance Connect
Private keys and certificates	AWS Certificate manager

Features

Force rotation of secrets

• Force rotation after X days

• Automate generate of secret using Lambda

Multi-region secrets

• replicate secrets to multiple regions

• keep replicated secrets in sync with primary secrets.

• Use cases:

  • in multi-region app, you also need multi-region secret, so you can access that app with the same secret.

Encrypted using KMS

• Secrets are ecrypted using KMS

---

Best practices

If the data is not a secret, do not use Secret Manager. Because SM is a paid service. You pay money for someone take care of your secrets, so if not -> not worth the money.

Trivia

• Get random pass like this

$ aws secretsmanager get-random-password
{
    "RandomPassword": "eiCziBXZUgO6$:il3B,m4W`JFKI4;oGa"
}