- Newest
- Most votes
- Most comments
Good question!
What you may see if you're running things locally is to put the initial credentials into your configuration file locally. However, there is still an authentication need - to authenticate into an IAM entity that has access to AWS, for example an IAM User or IAM role.
If your application is running in AWS, that's where the integration of AWS IAM and Secrets Management is fantastic. For example, if your app is running on an ec2, the ec2 IAM Role will need IAM permissions to access the Secret (also considering Secret Resource policy and KMS as needed) and can retrieve it programatically using CLI or Boto3 like the link you've shared: https://repost.aws/questions/QUAsOpdhR-QAKVZEL0nRGTkw/aws-secrets-manager-with-boto-3-in-python.
It depends how you are executing the code that is retrieving the secrets.
For example if you are executing your python script from an EC2 machine, you assign an IAM role to the machine which gives it access to Secrets Manager. Boto3 will automatically pick up the permissions and you wont need to supply credentials.
I see what you mean. For now, I'm executing this python script on my own PC at home, but I've heard that putting secrets in a config file is not a best practice. What do you think? Is there a way to use secrets manager to get the secrets from my pc? I doubt it, right? Thanks.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
I see. And since the secrets I do have stored have very limited access and no admin access, even if they did get out, the impact would be minor.