brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a6a20ed833f1af5de1c15e224fa65c3dbab67ba9
oam/knowledge base/cloud computing/aws/secrets manager.md

3.8 KiB
Raw Blame History

AWS Secrets Manager

AWS' native secrets management service.

  1. TL;DR
  2. Further readings
    1. Sources

TL;DR

Provides integration with the AWS ecosystem and has automatic rotation capabilities specifically designed for AWS services.

Offers precise access control to each secret via fine-grained IAM permissions with resource-based policies.
Supports VPC endpoints to enables private network access without the need for Internet routing. Optimal for air-gapped or highly secure environments.
Critical secrets can be replicated cross-region.

Costs $0.40 per secret per month, plus $0.05 per 10,000 API calls.
Secrets that are marked for deletion are not paid for.

Secrets Manager uses keys from KMS to encrypt the secrets it manages.
On first use, Secrets Manager creates the AWS-managed key aws/secretsmanager to encrypt the secrets given to it. There is no cost for using this key.
When automatic rotation is turned on for a secret, Secrets Manager uses a Lambda function to rotate it. The use of the Lambda function is charged at the current Lambda rate. The rotation function is not called for secrets using managed rotation.

Logs of the API calls that Secrets Manager sends out are sent to CloudTrail, if it is enabled. Costs for CloudTrail are in addition to the ones incurred by using Secrets Manager.

aws secretsmanager create-secret --name 'TestSecretFromFile' --secret-string 'file://gcp_credentials.json'
aws secretsmanager create-secret \
  --name 'MyTestSecret' --description 'A test secret created with the CLI.' \
  --secret-string '{"user":"diego","password":"EXAMPLE-PASSWORD"}' \
  --tags '[{"Key": "FirstTag", "Value": "FirstValue"}, {"Key": "SecondTag", "Value": "SecondValue"}]'

Secrets can be any text or binary up to 65536 bytes (64KB).
Should one want to automatically rotate them, they must contain the specific JSON fields that the rotation function expects. Refer the JSON structure of AWS Secrets Manager secrets.

Secret have versions that hold copies of their encrypted value.
When changing the secret value, or when the secret is rotated, Secrets Manager creates a new version and serves that by default. The old version is kept (up to a point), but not accessed unless specifically requested.

One can access a secret across multiple Regions by replicating it.
When replicating a secret, Secrets Manager creates a copy of the original (A.K.A. primary) secret. That copy is known as a replica secret.
The replica secret remains linked to the primary secret, and is updated when a new version of the primary is created.

Secrets Manager uses IAM to allow only authorized users to access or modify a secret.
Permissions for them can be set in IAM Policies that are identity-based (the usual ones, granted to IAM Identities), or resource-based (secret-specific).

Managed secrets are created and managed by the AWS service that created them.
The managing service might also restrict users from updating secrets, or deleting them without a recovery period.
Managed secrets use a naming convention that includes the ID of the service managing them.

Further readings

Sources