Secrets are any authentication details like a password that allow a user potentially using authorization code flow or a service potentially using client credentials flow to verify their identity.
AWS has a few ways to manage these secrets and often functionality overlaps, this is how I have found these to be useful.
Pre-cursor
The IAM role will need these policy statements
Action: kms:Decrypt
Action: ssm:GetParameters
Action: secretsmanager:GetSecretValue
(if using secretsmanager programatically which is not the flows described below)
AWS Systems Manager (SSM) - Parameter Store
Use Case: Simple encrypted secret storage for your application to access
Note that KMS does support rotation-period if you wish.
AWS Systems Manager (SSM) with Parameter Store
(Secure String) is a great way to store secrets which your application can read at runtime, then store as environment variables. With .Net these can override appsettings. To get started you follow these high level steps
- Create a Key Management Service (KMS) key, for the purpose of simple data encryption at rest, you can use a symmetric encryption KMS key. I normally use the AWS console, so their website to create these keys but you can also use the CLI with command
aws kms create-key
You will need the KMS-KEY-ARN
, it will look something like arn:aws:kms:{REGION}:{ACCOUNT-NUMBER}:key/mrk-00000000000000000000000000000000
- Create parameter, the simplest way is with the CLI because its hidden in the console and I always have to click around to find it
1 | aws ssm put-parameter \ |
- Using the KMS key access the secret from parameter store, at a high level this could look like
Create a GetSecureParameterAsync
in an abstracted service:
1 | using Amazon; |
Call the method GetSecureParameterAsync
and use the secret in your application.
1 | string parameterName = "/path/to/your/secret"; |
Secrets Manager
Use Case: Simple encrypted secret storage for secrets you want to rotate and generally access manually by humans
Note, you can also programatically access Secrets Manager if you wish.
Create the KMS, same as details above.
Create the secret, the simplest way is with the CLI
1 | aws secretsmanager create-secret \ |
- Access the secret manually in the console
If you want to instead use this for secrets in your code, the method to get the secret could look like
1 | public static async Task<string> GetSecretValueAsync(string secretName, string regionEndpoint) |