How to securely pass secrets from step to step in step functions

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

Topics

Serverless Application Integration DevOps Microservices Security Identity & Compliance

Tags

AWS Step Functions DevOps Microservices AWS Secrets Manager

Jammor

asked 3 months ago12 views

2 Answers

NewestMost votesMost comments

Could you pass the secret-id(s) and let the next step pull them from Secrets Manager?

EXPERT

kentrad

answered 3 months ago

Jammor 3 months ago
The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

I would recommend to retrieve the secrets in the steps you need them, or, encrypt the secrets where you retrieve them and then decrypt where needed. You will need to have some shared encryption key between these steps, so I am not sure it gets you anything.

EXPERT

Uri

answered 3 months ago

Jammor 3 months ago
As I mentioned to kentrad: The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

Relevant questions

Trigger Step Function with API Gateway and use Fargate within Step Function?
AWS-User-5311484
asked a month ago
Environment variables for a Node app running on an EC2 Instance
fdr
asked 5 months ago
AWS Step Function Output for container services
acrookes-fe
asked 5 days ago
Step functions pass input into Fargate instance :
DavidYen
asked 2 months ago
How to securely pass secrets from step to step in step functions
Jammor
asked 3 months ago
Secrets Manager rotation intermittent timeout
Oli
asked a month ago
ssm secret password automation in aws
AWS-User-0503324
asked 4 months ago
Do we need Lambda extensions for accessing AWS Secrets Manager ?
Navin GV
asked 14 days ago
Secrets get mounted on pods volume but didn't get created after that. Using AWS csi driver.
AWS-User-5054952
asked a month ago
Access secrets from secrets manager into the code the running EC2 docker
AWS-User-4824442
asked 22 days ago

How to securely pass secrets from step to step in step functions

Relevant questions

Trigger Step Function with API Gateway and use Fargate within Step Function?

Environment variables for a Node app running on an EC2 Instance

AWS Step Function Output for container services

Step functions pass input into Fargate instance :

How to securely pass secrets from step to step in step functions

Secrets Manager rotation intermittent timeout

ssm secret password automation in aws

Do we need Lambda extensions for accessing AWS Secrets Manager ?

Secrets get mounted on pods volume but didn't get created after that. Using AWS csi driver.

Access secrets from secrets manager into the code the running EC2 docker