Questions tagged with AWS Secrets Manager

Secrets Manager Error Message: The json key does not exist in this secret Seeing above error while trying to build a new branch of package in Codebuild. I created a secret for a particular isengard account. Then created a policy which was attached to the role I am using to build the package.

AWS secrets-manager does not decode my key/values when retrieving... what am I missing? Hi when I retrieve my SecretString from Secrets-manager i get: `'{"username": "***","password": "***" ,"engine":"mysql","host":"***","port":"***","dbname":"***""dbInstanceIdentifier":"database-1"}',` Instead of `{"username":"my_real_username","password":"my_real_password","engine":"mysql","host":"my_real_host","port":"my_real_port","dbname":"my_real_dbname","dbInstanceIdentifier":"database-1"}` I have tried using both my buildspec.yml file doing: ``` env: secrets-manager: DB_TEST_HOST: "test:host" DB_TEST_NAME: "test:dbname" DB_TEST_PORT: "test:port" DB_TEST_USER: "test:username" DB_TEST_USER_PASSWORD: "test:password" ``` And implemented the code suggested in secrets-manager. Both give the the bad result. I have also attached "SecretsManagerReadWrite" policy and kms:Decrypt policy to the role used when trying to retrieve these parameters.

I have an image I deploy to ECS that expects an environment variable called `DATABASE_URL` which contains the username and password as the userinfo part of the url (e.g. `postgres://myusername:mypassword@mydb.foo.us-east-1.rds.amazonaws.com:5432/mydbname`). I cannot change the image. Using `DatabaseInstance.Builder.credentials(fromGeneratedSecret("myusername"))`, CDK creates a secret in Secrets Manager for me that has all of this information, but not as a single value: ```json { "username":"myusername", "password":"mypassword", "engine":"postgres", "host":"mydb.foo.us-east-1.rds.amazonaws.com", "port":5432, "dbInstanceIdentifier":"live-myproduct-db" } ``` Somehow I need to synthesise that `DATABASE_URL` environment variable. I don't think I can do it in the ECS Task Definition - as far as I can tell the secret can only reference a single key in a secret. I thought I might be able to add an extra `url` key to the existing secret using references in cloud formation - but I can't see how. Something like: ```java secret.newBuilder() .addTemplatedKey( "url", "postgres://#{username}:#{password}@#{host}:#{port}/#{db}" ) .build() ``` except that I just made that up... Alternatively I could use CDK to generate a new secret in either Secrets Manager or Systems Manager - but again I want to specify it as a template so that the real secret values don't get materialised in the CloudFormation template. Any thoughts? I'm hoping I'm just missing some way to use the API to build compound secrets...

I have a Lightsail instance with a very small Python script for testing. The script looks like: ``` import boto3 import json region_name = "us-east-1" secret_name = "arn:aws:secretsmanager:us-east-1:XXXXXX:XXXX" client = boto3.client(service_name='secretsmanager',region_name=region_name) response = client.get_secret_value(SecretId=secret_name) secrets1 = json.loads(response['SecretString']) print(secrets1['Password']) ``` When I run the above code, I get the following error: ``` An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::XXXXXXXX:assumed-role/AmazonLightsailInstanceRole/XXXXXXX is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:XXXXXXXX:secret:XXXXXX because no resource-based policy allows the secretsmanager:GetSecretValue action ``` I have tried: * creating a Lightsail role in IAM with "SecretsManagerReadWrite" policy attached. One problem with this approach is that I didn't see a Lightsail option when selecting an AWS Service, so I selected ec2. * running the code as root user * creating another IAM user with proper permissions (full access to Lightsail and SecretsManagerReadWrite) * scouring several forums looking for answers. I find some cases that are similar to mine, but haven't found a solution I can use fully (although I have used bits and pieces with no luck). None of the above worked (although I can't guarantee I put all the pieces together correctly). So my question is: How can I access a secret in my Secrets Manager service and use it in my Python code in Lightsail? This is all done within a single AWS account. I am very new to the AWS framework and am admittedly confused by the IAM roles and users and how I provision permission for a Lightsail instance to access Secrets Manager. Thanks for any help.

Do we need Lambda extensions for accessing AWS Secrets Manager ? I explored Vault, Lambda provides vault extensions, which can optimize the secrets fetching - https://www.hashicorp.com/blog/aws-lambda-extensions-for-hashicorp-vault > The extension can retrieve multiple secrets from Vault, if configured to do so, and writes the full JSON response from HashiCorp Vault to the configured destination. Before a Lambda function is invoked, extensions are initialized and given the opportunity to perform tasks before signaling their readiness Do we need similar setup in AWS Secrets Manager ? Or Fetching secrets from AWS Secret Manager already optimised for Lambda ?

I am trying to implement a proxy to our Aurora instance, but having difficulty getting the IAM access to work properly. We have a microservice in an ECS container that is attempting to access the database. The steps I've followed so far: * Created a secret containing the DB credentials * Created the proxy with the following config options: * Engine compatibility: MySQL * Require TLS - enabled * Idle timeout: 20 minutes * Secret - Selected DB credential secret * IAM Role - Chose to create new role * IAM Authentication - Required * Modified the policy of the proxy IAM role as per the details on [this page](https://aws.amazon.com/getting-started/hands-on/set-up-shared-database-connection-amazon-rds-proxy/). * Enabled enhanced logging When issuing GET requests to the microservice, I see the following in the CloudWatch logs: > Credentials couldn't be retrieved. The IAM role "arn:our-proxy-role" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:our-db-credential-secret" Another interesting wrinkle to all of this: I pulled up the policy simulator, selecting the RDS proxy role and all of the actions under the Secrets Manager service, and all actions show up as being allowed. I would sincerely appreciate any kind of guidance to indicate what I'm missing here.

I'm trying to retrieve a secret value from secrets manager using an API client via a post request. I keep getting the following error in the response: { "Output": { "__type": "com.amazon.coral.service#SerializationException" }, "Version": "1.0" }

1. I am running a Golang code running in the docker container [VPC[EC2VM[docker[go code]]] 2. Secrets stored in AWS secrets manager. 3. The VM is running with the proper role and permission to access the SecretsManagerReadWrite 4. The Golang code is the same as provided while creating secrets in AWS SM My code is not getting the secrets. but getting the below error NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors" I also tried https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/. but no luck Please suggest

I want to have a QA secret and a Production secret, and I want a Lambda QA alias to only be able to access the QA secret, and likewise with the Lambda Production alias and the Production secret. Each Lambda function alias uses a single execution role, set at the function level. So any IAM policies attached to this role would apply to all aliases. This means that the QA alias lambda could access the Production secret. So an execution-role based policy does not appear to be the answer. I am trying to understand how to apply resource-based policies to the secrets, but it appears that I cannot choose the Principal to be a fully-qualified ARN to the Lambda alias. Is it possible to do this? Unless I am misusing these systems, it seems impossible to keep secrets separate and secure with Lambda aliases.

Can Sagemaker Git Repositories use ssh secrets (no name and password)?

I'd like to integrate AWS Secrets Manager within my application. How do I read the password using VPC EP? I was not able to query the Secrets Manager in the CLI without setting the proxy. I also don't want to mention the VPC EP in the commands. Any pointers would be greatly appreciated. I'd like to run this command without setting proxy and the VPC EP. aws secretsmanager get-secret-value --secret-id MySecret

I'm getting error like, ***failed to patch secret xxx with new data*** from csi-secrets-store-controller.

I have a private VPC with a VPC endpoint to Secrets Manager and a rotation function. Secrets manager is able to invoke the function, but the function can only intermittently communicate with secrets manager. I can see it calls the Secrets Manager API a number of times successfully, but after calling GetRandomPassword it just says "Resetting dropped connection". For full details see the following post: https://stackoverflow.com/questions/71807653/secrets-manager-rotation-timeout

Hi team, I created a custom lambda authorizer and attached it to my HTTP API GW authorizer. 1 - I noticed each time that the lambda authorizer is slow, it takes around 3 to 4 seconds to get the response (maybe it's due to my lambda reading secret keys from secret manager ?) my lambda read apiKeys from secret manager and compares it with a custom header value on the HTTP request 2 - also, the lambda took more than 5 seconds to wake up. Is there any way to solve this latency related to the lambda authorizer for these points? Thank you

Hi team, I want to create a secret via CDK that contains 2 passwords (API keys) secretName = ApiKeys keys/values = - key: password1, value: auto-generated password (current) - key: password2, value: auto-generated password (previous) the CDK syntax I found allows only to create a secret with one secret inside it, is there a way to create a secret in a secret manager with many generated secrets inside it? any snippet code would be helpful. Thank you.

Hi team, I want to modify a custom header value in a CF origin with lambda. this lambda should read the value from the secret manager and update the value of the custom header in Cf accordingly. is this achievable via a lambda function? Thank you!

Hello, I am integrating my custom Kafka cluster with AWS Lambda using Kafka trigger (Cloudformation EventSourceMapping). If I reset the password on my Kafka cluster and subsequently update the secret that is used in the EventSourceMapping, the EventSourceMapping does not refetch/refresh the secret. Instead the EventSourceMapping is still trying to use the old secret version (with old password) which results in error: ``` Last processing result: PROBLEM: SASL authentication failed. ``` As a result of this problem, no events are delivered to the lambda function. Since I am passing the ARN of the secret to the EventSourceMapping and am granting Lambda the permissions to get this secret, I would expect that the EventSourceMapping would automatically refresh/refetch the secret periodically. Instead what I need to do is delete the EventSourceMapping (trigger) and recreate it again (with the same configuration). This is unacceptable as we are using multiple Lambda integrations with our Kafka cluster and deleting/re-creating all of them after the password (and aforementioned secret) has changed is ineffective

I'm trying to see if there's anything I can do to improve performance when fetching secrets from Secrets Manager. At the moment, we're seeing it taking somewhere between 100-400ms every time (probably averaging ~200ms)... which is a pretty big overhead considering our lambdas themselves typically take less than that. We were previously caching the secret in memory (for warm/provisioned lambdas), however, that brings us unstuck when those secrets get changed and the lambdas have out-of-date values. So, my question is two-fold: * Is this just "the way it is"? ie. I understand that there's no performance guarantees, but is this just the ballpark that I should expect for these types of fetches? * Would using something like a [VPC Endpoint](https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html) help? All the doc seems to suggest that the benefits are more about security, rather than performance, but I'm happy to explore. Thanks.

I'm trying to use parameter store and secret manager in my EKS cluster but i keep getting this error: MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to get secretproviderclass fastcode/helloworld-secrets, error: SecretProviderClass.secrets-store.csi.x-k8s.io "helloworld-secrets" not found and inside secret store provider logs: secretproviderclasspodstatus_controller.go:99] "failed to patch secret owner ref" err="failed to get spc helloworld-secrets, err: SecretProviderClass.secrets-store.csi.x-k8s.io \"helloworld-secrets\" not found" Both pod and SecretProviderClass are created with helm. SecretProviderClass and pods are in the same namespace ``` apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: helloworld-secrets spec: provider: aws parameters: objects: | - objectName: "/password/db" objectType: "ssmparameter" objectAlias: "dbpassword" - objectName: "/password/instance" objectType: "ssmparameter" objectAlias: "dbinstancepassword" ``` ``` volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "helloworld-secrets" ``` What should i do? Thanks

Hi all, Disclaimer: New to AWS DevOps :) So I've a situation where we need to store all database schemas (Oracle database) in secrets manager, to meet secutiry compliance guidelines. - To limit my costs, I was thinking to put all application schema credentials, belonging to single RDS instance, under 1 secrets manager resource. - So there will be one-to-many relation between secrets-mgr resource & database schema creds, respectively - however, I also want to ensure ** each application has access to only their on schema creds, and not other schema creds in that particular secrets-mgr resource ** Question: Can I provide ** access to specific secret-key:secret-value, inside a secret, to app users **. Is this possible ? As going through docs, I dont see that being possible. Hope my questions is clear thanks in advance, J K

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

**It is possible to consume secretsManager via dynamoDb tables? for example : ** ``` { key: {{resolve:secretsmanager::password}} } ```

Hi community, We are new to [AWS Secret Manger](https://aws.amazon.com/secrets-manager/) and we recently decided to adopt it as it's a secure way to store all the credentials, access keys, etc. One of the cloud expert mentioned that the secret manager CLI can be accessed only within AWS VPC. However, we are curious on ** whether AWS secret manager services (e.g., via CLI) can be accessed outside the AWS envrionment (such as development evironment set up in our laptop i.e. local machine) **as long as the IAM user has the appropriate permissions set to read the Secret Manager keys, without any needs for VPC/VPN or so.

Setting up a codebuild action inside codepipeline via a CF template (the AWS::CodePipeline::Pipeline resource), I keep running into a very limiting factor where the configuration fields are all limited to 1000 characters (see: https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html: ``` Maximum length of the action configuration value (for example, the value of the RepositoryName configuration in the CodeCommit action configuration should be less than 1000 characters: "RepositoryName": "my-repo-name-less-than-1000-characters") ``` This limit is enough for most configuration fields, but when configuring a `CodeBuild` action, the `EnvironmentVariables` field [expects a JSON string](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html#cfn-codepipeline-pipeline-stages-actions-configuration). This JSON string can very fast reach 1000 characters, with even as little as 10 environmental variables, especially if those variables are extracted from `SECRETS_MANAGER`. For example, declaring just one variable like this: ``` {"name":"MYSERVICE_VARIABLE","value":"aws:secretsmanager:ap-northeast-1:123458087:secret:my-secret-staging-name:password","type":"SECRETS_MANAGER"} ``` Will on its own be 148 characters. If the pipeline requires just 5 of these secrets and maybe 2-3 more short ones, the limit will be reached and deployment of the pipeline will fail. I was wondering if there is any chance this limit can get reviewed once more and maybe increased to, say, 1mb json string? Failing to do so will render this feature useful only in the simplest of use-cases... Regards, Julian.

When an event is sent to an API Destination, does the connection associated with the API Destination do 1 read from AWS Secrets Manager. So if 10000 events are sent to an API destination, would that cost $0.05 + $0.40c for AWS Secrets Manager per month? Thanks

I've heard that it's not a best practice to use aws configure to store secrets in a config file on my machine, which totally makes sense. How do I use AWS Secrets manager to get the keys when connecting to AWS requires keys in the first place? Does my question make sense? Would this code work? https://boto3.amazonaws.com/v1/documentation/api/latest/guide/secrets-manager.html

I would like to use SecretsManager to rotate a database password using [the alternating accounts strategy](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets_strategies.html#rotating-secrets-two-users). I don't want to use the database "Master" user for that, I want to create a dedicated MySQL user for Secrets Manager. I understand the AWS IAM roles and policies, AWS networking and such. I am looking for the minimum privilege I must grant SecretManager **inside my RDS MySQL instance** so that it can rotate a password, but not SELECT any data? I am looking for a statement like this one: ``` CREATE USER 'secrets_manager'@'%' IDENTIFIED BY 'password'; GRANT ?????? ON ?????? to 'secrets_manager'@'%' ``` As an example, [Hashicorp Vault lists the SQL statements required to change a password](https://www.vaultproject.io/api/secret/databases#sample-payload-1), making it possible to GRANT a limited set of statements to Vault.

Hello, I'm trying to find a way to store AWS secret access key in secure "only read" hardware in order to be PCI DSS complaint, for now i tried to store this secret access key in yubikey NEO, but the yubikey supports only 38 characters of "known" password ( all of the types of yubikey ), and the AWS generated secret access key is 40 characters, i tried to find " a way around " : i tried to compress this secret key ( dosnt work because of key complexity ),was thinking of storing this secret access key in yubikey as *everyone* do with ssh but for that i need to convert this string to pgp format (and i dont know how;P) , i was thinking of dividing this key in 2 parts and store it in different slots of the yubikey, but this sounds as very bad practice implementation. So the questions are : **If someone has any other "work around" for this problem? Is it possible to generate 38 character access secret key?** P.S I use AWS CLI *mainly* , and no access to browser needed is appreciated, so the U2F ( as far as i have read ) is not an option.

There is an EC2 instance attempting to get a secret from SecretsManager but errors with the following: ``` Error getting database credentials from Secrets Manager AccessDeniedException: User: arn:aws:sts::{AccountNumber}:assumed-role/aws-elasticbeanstalk-ec2-role/i-{instanceID} is not authorized to perform: secretsmanager:GetSecretValue on resource: rds/staging/secretName because no identity-based policy allows the secretsmanager:GetSecretValue action ``` I have tried adding the following policy to the general aws-elasticbeanstalk-ec2-role to allow for access but it is still not able to get the secrets: GetSecretsPolicy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/production/secretName" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName" } ] } ``` I continue to get the error and am wondering if there is something I can tweak to make it able to have proper access to the secret values

Hi Everyone, I am new to lamda Function. I have stored my API Key and other parameters for an rest endpoint as key pair values as a secret in AWS Secret Manager. While I need to retreive the key and other parameters to construct the end point, I am unable to even print it. I have added my code below written in Python. The response is coming null along with no error and no information in logs. import boto3 import base64 from botocore.exceptions import ClientError import json def get_secret(): secret_name = "aXXXXXXXXXXXXXXXXXXXXXXX2cFVdm" region_name = "apXXXXXXX1" session = boto3.session.Session() client = session.client( service_name='secretsmanager', region_name=region_name ) # In this sample we only handle the specific exceptions for the 'GetSecretValue' API. # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html # We rethrow the exception by default. get_secret_value_response="" try: get_secret_value_response = client.get_secret_value( SecretId=secret_name ) except ClientError as e: if e.response['Error']['Code'] == 'DecryptionFailureException': # Secrets Manager can't decrypt the protected secret text using the provided KMS key. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InternalServiceErrorException': # An error occurred on the server side. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidParameterException': # You provided an invalid value for a parameter. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidRequestException': # You provided a parameter value that is not valid for the current state of the resource. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'ResourceNotFoundException': # We can't find the resource that you asked for. # Deal with the exception here, and/or rethrow at your discretion. raise e else: # Decrypts secret using the associated KMS key. # Depending on whether the secret is a string or binary, one of these fields will be populated. if 'SecretString' in get_secret_value_response: secret = get_secret_value_response['SecretString'] else: decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary']) # Your code goes here. return get_secret_value_response def lambda_handler(event, context): ms=get_secret(); print(ms)

I have set up a CI/CD pipeline for my project. On git commits there is a trigger which runs the CodePipeline -> CodeDeploy -> EC2 setup. The EC2 instance runs an Nginx web server and Node cluster using PM2. I am using a package called dotenv to load env vars like API keys and secrets. Since we don't commit it there is no way these vars load into the Node app on EC2. I have heard about secrets manager but I am not sure. Can someone guide me on this?

I've recently used the PHP SDK to test some operations under the SecretsManager service. Everything works fine. However, I needed to ensure the information sent in using the **`createSecret`** operation was safe from any third-party threats. So I did a small investigation to view the request's body contents. I was able to view this content under ***StreamRequestPayloadMiddleware.php***. After modifying it by using **json_decode **to view the request's contents, I came across this: ``` array(4) { ["Name"]=> string(9) "demo/Test" ["SecretString"]=> string(39) "{"username":"Tom","password":"Test123"}" ["KmsKeyId"]=> string(xx) "arn:aws:kms:xx-xxxx-x:xxxxxxxxxx:key/xxx-xxx-xxx-xxx-xxxxxxxxxx" ["ClientRequestToken"]=> string(xx) "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } ``` I then realized the plaintext contents of the SecretString were visible in the request's body. I'm aware the SecretsManager uses a KMS key to encrypt the secret values; however, this only happens once the operation has been sent to the server-side (AWS Console). Therefore, I need to know if there is any way to protect the payload contents in an **encrypted format** so that the SecretsManager service or AWS can **unpack this content to its original value** without having it saved in that encrypted format, on a new secret.

I got a role named example-role that is attached to an EC2 instance and has full access to SecretsManager. That EC2 got ID i-1234123431. On the other side, I got a secret that is protected by resource policy that should only grant access to the secret for EC2 instances that do have example-role assigned. I used below resource policy on the secret. Ultimately I want to use that mechanism as a safety net. Question 1: I noticed that if I either omit #1 or #2, it is not going to work, i need both. Why I need both? Question 2: since i need to use #2, how could this work with an autoscaling group where IDs are constantly changing? I tried to use * but looks it is not supported by NotPrincipal. How can I resolve this? ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "secretsmanager:GetSecretValue", "NotPrincipal": { "AWS": [ "arn:aws:iam::123456789:root", "arn:aws:iam::123456789:role/example-role", #1 "arn:aws:sts::123456789:assumed-role/example-role/i-1234123431" #2 ] }, "Resource": "*" } ] } ```

We are used to injecting sensitive environment variables into ECS tasks via Secrets Manager like [this](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/) but, we are searching for a similar way to do so for Lambda functions and, came across with [this post](https://aws.amazon.com/blogs/compute/creating-aws-lambda-environmental-variables-from-aws-secrets-manager/) which, seems like a lovely way of doing it. Still, we have a few questions about it: 1. James Beswick's post is less than 45 days old, so I think there is no out of the box solution for this directly from lambda service, am I right? If so, could this be added as a customer feature request, please? It's so usual that I don't know why it's not yet available. 2. Does this work for any lambda deployments? I mean precisely ZIP and Docker-based ones as I'm not sure how Layer set environment variables are passed (or not) to a docker container, for example.

I've seen the following solutions, but they don't seem that great to me: 1 Native integration with CSI driver (Complex to intall and you can inject all values in one environment variable using a local disk, you need parser variables when docker run) https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/ 2 Execute an script when docker run, get the variables, parse and export (Easy to use, not elegant) ``` ENV_VAR=$(aws secretsmanager get-secret-value --secret-id $VARIABLE_ID --region us-west-2 | jq --raw-output '.SecretString') # parse ENV_VAR with code in this line # Export variables ``` 3 Integrate AWS Secret Manager with the framework for example with Rails (Easy to use, some elegant but it is at the code level ) https://anonoz.github.io/tech/2018/12/29/aws-secrets-in-rails.html What do you recommend to carry out this integration and why? Do you know another more elegant and easy way?

Customer uses aurora global table on multi region and their configuration is Active-Active. They use Aurora global table. Customer wants to rotate their secrets for Aurora and wants to know best practices how to implement that. Their application also sit in two regions, the app connects the database instance which is in same region when both region are alive. There is a blog post which explains how to setup secrets manager for Active-Standby configuration. But my customer wants to implement ACTIVE-ACTIVE configuration. Is there any best practices and tips for using Secrets Manager with ACTIVE-ACTIVE database configuration?

Hello, this past weekend for about an hour or so, there was some cases of failures to fetch a secret which my aws sdk node library uses to access RDS. The error message is like: Failed to fetch secret arn:aws:secretsmanager:ap-northeast-1: ... Could this possibly have been to some kind of temporary issue on aws at that time, or is it possible I have some configuration done wrong. Other than this time period, I havn't noticed the issue. It was on server ap-northeast-1 on 3-13 from around 12:00 - 13:18 UTC.

Did anybody here manage to configure this? Via cloudformation I can configure (same does not work in the UI due to validation): AirflowConfigurationOptions: secrets.backend: airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend secrets.backend_kwargs: '{"connections_prefix": "dev/core_data/airflow/connections", "variables_prefix": null, "config_prefix": null}' It starts up the environment and says 'available', yet something seems to go wrong because I cannot access it (gateway errors). Am I missing another clean way to get secrets into this? Edit: also fails if I don't use the backport providers installed from requirements.txt and just use secrets.backend: airflow.contrib.secrets.aws_secrets_manager.SecretsManagerBackend with default kwargs. Edited by: andreaslang on Jan 6, 2021 5:17 AM

Hi I use Secrets Manager to store passwords which I need to read (in Python) from services launched in my EC2 instances. In order to do that one solution that I thought about where creating a role which can access to Secrets Manager and attach it to instances I want to read secrets from. However, when I try to create the role I cannot find the Secrets Manager service. Another solution could be storing both the access key and the secret key of an user who can access to that service in the EC2 instances but I don't like that solution because I would prefer not storing that kind of keys in the instances. Any ideas to create the role I talk about or any other solution? Thank you very much

I am attempting to get the automatic rotation lambda function to rotate secrets for an rds instance that lives on a VPC. All of my subnets are public and connected to IGWs. I have an rds instance with no public accessibility that I would like to rotate secrets for. I have placed the lambda function inside the VPC and created a VPC endpoint for the secrets manager. When I run the rotation, it times out when attempting to access the secrets manager endpoint. Do I need to run the lambda function on a private subnet to avoid using the IGWs?

Hello Does secret manager formally support multi-line secret values? When storing a PEM for example, via the console, the newlines are converted to spaces, which means a conversion needs to happen when retrieving. This can be worked around to some extent by using the 'plaintext' method of storing the secret... but this breaks the UI when trying to read it. It also seems to add additional escaping around the key and value which means programatic retrieval is affected, and not consistent. Am i doing something wrong? Am I expecting a capability which is unusual here? Thanks for your help. - D

We have a WAR file deployed on Tomcat and the database credentials are fetched through JNDI. This WAR now has to be moved to AWS cloud, and the requirement is db credentials has to be stored in AWS Secret Manager. My question is can I continue using JNDI/Tomcat along with Secret Manager ? I understand AWS SM has API and SDKs to access it, can that be integrated with JNDI/Tomcat somehow ? All posts I have seen mentions using the API/SDK directly from code, none i have found say anything about server integration. Is accessing AWS SM from code really the best way to do it ? Thanks. A side note - for some reason unknown to me, we cannot use BeanStalk, it is just Tomcat on an EC2 instance.

Hi, I've added a new secrets for my Aurora RDS. In the secret, I see "host" entry which points to the writer node. How do I get the host information for the read-replica node? I **could** add it manually, but I don't want to :) Thanks!!

I use SecretsManager to rotate my third-party OAuth access tokens, which look like the following: {:access_token "***", :token_type "bearer", :expires_in 3600, :scope "full-access", :refresh_token "***"} Currently, the minimum rotation interval in the UI is measured in days, however, as you can see, my service access tokens expire in 1 hour (3600s). Is there a way to specify the rotation to 1 hour or do I need to trigger manual immediate rotation and manage the time expiration in my applications?

I have a CF template with a simple secret inside, like this: Credentials: Type: 'AWS::SecretsManager::Secret' Properties: Name: !Sub ${ProjectKey}.${StageName}.${ComponentId}.credentials Description: client credentials SecretString: !Sub '{"client_id":"${ClientId}","client_secret":"${ClientSecret}"}' The stack is created successfully and the secret is correctly generated. However when I **delete the stack and recreate it** again I get the following error message: **The operation failed because the secret pk.stage.compid.credentials already exists. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceExistsException; Request ID: ###)** I guess this is because the secret is not really deleted but only marked for deletion for x days. It is possible to delete a secret immediately via CLI, **but how can this be done within the CF Template?** I need to delete and recreate the stacks because it is part of a continous integration/delivery pipeline which is automatically triggered on source code commits.