How to securely pass secrets from step to step in step functions

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

Topics

Serverless Application Integration DevOps Microservices Security, Identity, & Compliance

Tags

AWS Step Functions DevOps Microservices AWS Secrets Manager

Language

English

Jammor

asked 2 years ago1709 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Could you pass the secret-id(s) and let the next step pull them from Secrets Manager?

EXPERT

kentrad

answered 2 years ago

Jammor
2 years ago
The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

I would recommend to retrieve the secrets in the steps you need them, or, encrypt the secrets where you retrieve them and then decrypt where needed. You will need to have some shared encryption key between these steps, so I am not sure it gets you anything.

EXPERT

Uri

answered 2 years ago

Jammor
2 years ago
As I mentioned to kentrad: The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

Relevant content

How to pass Header from Step function to API Gateway
Sundar
asked a year ago
Step function passing parameters
rePost-User-9449669
asked a year ago
Please share the steps to integrate AWS Secrets Manager with secrets.yaml file
karthikeyan
asked a year ago
Pass parameter from one glue job to another in step function?
rpost
asked 3 months ago
How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot issues related to AWS Secrets Manager secrets in Amazon ECS?
AWS OFFICIALUpdated 10 months ago
How can I rotate a Secrets Manager secret in a private VPC?
AWS OFFICIALUpdated a year ago
How can I use Lambda functions in an Amazon VPC to retrieve Secrets Manager secrets?
AWS OFFICIALUpdated 6 months ago
How to Create a Feature Request for AWS: A Step-by-Step Guide
EXPERT
Giovanni Lauria
published 16 days ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio_Lagrotteria
published a year ago