By using AWS re:Post, you agree to the Terms of Use
/How to securely pass secrets from step to step in step functions/

How to securely pass secrets from step to step in step functions

0

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

2 Answers
0

Could you pass the secret-id(s) and let the next step pull them from Secrets Manager?

EXPERT
answered 3 months ago
  • The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

0

I would recommend to retrieve the secrets in the steps you need them, or, encrypt the secrets where you retrieve them and then decrypt where needed. You will need to have some shared encryption key between these steps, so I am not sure it gets you anything.

EXPERT
answered 3 months ago
  • As I mentioned to kentrad: The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions