Best practice for Secrets Manager Usage

0

What are the best practices in structuring the secrets in secret manager?

More specifically, if I have a vendor client-id and client-secret, should i store them separately as prod/vendor/client-id and prod/vendor/client-secret OR store then as /prod/vendor-creds and then use a JSON Object {"client_id": "<id>", "client_secret": "<secret>"} as the value?

What if I have multiple secrets needed in the same service? would it be a good idea to store prod/<my-app-name> and then just put all secrets in it as a JSON Object? (e.g., {"vendor_client_id": "<id>", "private_signing_key": "<>"} etc?) -- This would allow my service to just call the secret manager api once on startup to get all credentials.

spy16
asked 2 months ago118 views
1 Answer
1
Accepted Answer

Hi,

On your questions:

  1. yes, you can structure the secret that you need with the JSON format that you present: it would be very close to what for example RDS does with its own secrets: create one and decode it with decryptSecret API to see how they look like

  2. It may be interesting to keep 1 distinct secret for each client (if costs allow) to better respect the "least privilege" security best practice. Some of your service features may not need to know all secrets at once. In the future, it may be interesting to give access to some of the secrets to only some of the features. Also, from a hacking perspective (which I don't wish you), you'll be safer if your secrets are isolated: a hacker would have to decrypt each of them separately. It will be harder than just decrypting 1 secret to obtain all information about all customers.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
Sandeep
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thank you! We will keep this in mind.

  • Hi spy16, glad that it helped. Thanks for accepting my answer.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions