How to securely pass secrets from step to step in step functions

I'd like to define a step that extracts secrets from secrets manager and then passes those secrets to another step. With logging enabled the secrets are logged as input to the next step. If I disable logging payloads, then other step's payload are also not logged. Is there a way to protect secrets between steps and still log other information?

主題

無伺服器應用程式整合 DevOps 微型服務安全性、身分識別與合規

標籤

AWS Step Functions DevOps 微型服務 AWS Secrets Manager

語言

English

Jammor

已提問 2 年前檢視次數 1740 次

2 個答案

最新
最多得票
最多評論

這些答案是否有幫助？支持正確答案，以幫助社區從您的知識中受益。

Could you pass the secret-id(s) and let the next step pull them from Secrets Manager?

專家

kentrad

已回答 2 年前

Jammor
2 年前
The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

I would recommend to retrieve the secrets in the steps you need them, or, encrypt the secrets where you retrieve them and then decrypt where needed. You will need to have some shared encryption key between these steps, so I am not sure it gets you anything.

專家

Uri

已回答 2 年前

Jammor
2 年前
As I mentioned to kentrad: The step is a call to CallAwsService with secretsManager as the service. Its not a lambda. I'm mostly curious if AWS has solved this issue via the step function infrastructure to pass secrets between steps; and that I had missed how to do it. Without that functionality its not really a sate machine its just a call stack.

How to securely pass secrets from step to step in step functions

相關內容