feat(kb): introduce secrets management

2026-02-09 05:44:23 +00:00 · 2025-08-02 22:47:51 +02:00
parent 5a30a80597
commit 1f2259ad91
10 changed files with 340 additions and 63 deletions
--- a/computing/aws/README.md
+++ b/computing/aws/README.md
@@ -227,6 +227,7 @@ One can can rapidly remapping addresses to other instances in one's account and
 | [Route53]                     | DNS                                           |
 | [S3]                          | Storage                                       |
 | [Sagemaker]                   | Machine learning                              |
+| [Secrets Manager]             | Secrets management                            |
 | [Security Hub]                | Aggregator for security findings              |
 | [SNS]                         | Pub/sub message delivery                      |
 | [SQS]                         | Queues                                        |
@@ -895,6 +896,7 @@ machine if not.
 [route53]: route53.md
 [s3]: s3.md
 [sagemaker]: sagemaker.md
+[secrets manager]: secrets%20manager.md
 [sns]: sns.md
 [sqs]: sqs.md

--- a/computing/aws/secrets
+++ b/computing/aws/secrets
@@ -0,0 +1,74 @@
+# AWS Secrets Manager
+
+AWS' native secrets management service.
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+   1. [Sources](#sources)
+
+## TL;DR
+
+Provides integration with the AWS ecosystem and has automatic rotation capabilities specifically designed for AWS
+services.
+
+Offers precise access control to each secret via fine-grained IAM permissions with resource-based policies.<br/>
+Supports VPC endpoints to enables private network access without the need for Internet routing. Optimal for air-gapped
+or highly secure environments.<br/>
+Critical secrets can be replicated cross-region.
+
+Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.<br/>
+Secrets that are marked for deletion are not paid for.
+
+Secrets Manager uses keys from KMS to encrypt the secrets it manages.<br/>
+On first use, Secrets Manager creates the AWS-managed key `aws/secretsmanager` to encrypt the secrets given to it. There
+is **no** cost for using this key.<br/>
+When _automatic_ rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the
+Lambda function is charged at the current Lambda rate.
+The rotation function is **not** called for secrets using _managed_ rotation.
+
+Logs of the API calls that Secrets Manager sends out are sent to CloudTrail, if it is enabled. Costs for CloudTrail are
+**in addition** to the ones incurred by using Secrets Manager.
+
+```sh
+aws secretsmanager create-secret --name 'TestSecretFromFile' --secret-string 'file://gcp_credentials.json'
+aws secretsmanager create-secret \
+  --name 'MyTestSecret' --description 'A test secret created with the CLI.' \
+  --secret-string '{"user":"diego","password":"EXAMPLE-PASSWORD"}' \
+  --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'
+```
+
+Secrets can be any text or binary up to 65536 bytes (64KB).<br/>
+Should one want to automatically rotate them, they must contain the specific JSON fields that the rotation function
+expects. Refer the [JSON structure of AWS Secrets Manager secrets].
+
+Secret have versions that hold copies of their encrypted value.<br/>
+When changing the secret value, or when the secret is rotated, Secrets Manager creates a new version and serves that by
+default. The old version is kept (up to a point), but not accessed unless specifically requested.
+
+One can access a secret across multiple Regions by replicating it.<br/>
+When replicating a secret, Secrets Manager creates a copy of the original (A.K.A. _primary_) secret. That copy is known
+as a _replica_ secret.<br/>
+The replica secret remains linked to the primary secret, and is updated when a new version of the primary is created.
+
+Secrets Manager uses [IAM] to allow only authorized users to access or modify a secret.
+
+_Managed_ secrets are created and managed by the AWS service that created them.<br/>
+The managing service might also restrict users from updating secrets, or deleting them without a recovery period.<br/>
+Managed secrets use a naming convention that includes the ID of the service managing them.
+
+## Further readings
+
+### Sources
+
+<!--
+  Reference
+  ═╬═Time══
+  -->
+
+<!-- In-article sections -->
+<!-- Knowledge base -->
+[IAM]: iam.md
+
+<!-- Upstream -->
+<!-- Others -->
+[JSON structure of AWS Secrets Manager secrets]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html