AWS – Storing secrets

How to install Docker CE on CentOS 8

A common mistake that new administrators make when getting started with Infrastructure-as-Code is committing secrets (passwords, access keys, and so on) into their repositories. While this makes their infrastructure repeatable, it also makes it much more likely that their credentials will be compromised. Once something is in version control, it’s hard and annoying to remove it (that’s the point of version control!). Even if you do remove it, it’s almost impossible to know if it has already been viewed/copied by someone unintended.

AWS makes it easy to avoid the use of passwords altogether, by assigning roles to resources such as EC2 instances or lambda functions, but there are some instances where you have no other choice but to store credentials somewhere. This is where AWS Secrets Manager comes in. You can store credentials—usernames and password or access keys and secret keys—and then retrieve them later in a secure way. You can also automatically handle rotating those credentials on a regular schedule.

How to do it…

Follow these steps in order to learn how to store a username and password in AWS Secrets Manager:

  1. Log in to your AWS account, and go to the AWS  Secrets Manager dashboard.
  2. Click Store a new secret.


  1. Select Other types of secrets:

Store a new secret
  1. Add your secret key/value pair in the Plaintext box. Go with the default for the encryption key:

Specify key/value pairs
  1. Click Next.
  2. Give the secret a Name, optional Description and Tags, and click Next.
  3. On the next screen, Disable automatic rotation, and click Next.
  4. On the final screen, review your settings and copy any code snippets that you might need for your application. The following is a simplified version of the JavaScript example:
var AWS = require('aws-sdk'),
    region = "us-east-1",
    secretName = "MySecret",

var client = new AWS.SecretsManager({region: region});

client.getSecretValue({SecretId: secretName}, function(err, data) {
    if (err) {
        throw err;
    else {
        if ('SecretString' in data) {
            secret = data.SecretString;
        } else {
            let buff = new Buffer(data.SecretBinary, 'base64');
            decodedBinarySecret = buff.toString('ascii');
    // Your code goes here. 
  1. Click Store to complete the process.

You now have a secret that is securely stored and encrypted using the Key Management Service (KMS). If you already have a Relation Database Service (RDS) database created in your account, experiment with secrets that are automatically integrated with RDS. This is a huge improvement over storing usernames and passwords in configuration files or environment variables!

How it works…

AWS Secrets Manager uses the AWS KMS to encrypt and store your secrets safely and securely. Any application that needs a secret to access a resource, such as a relational database, makes an API call into AWS Secrets Manager—the API call is subject to all of the normal authentication and authorization mechanisms that come into play when interacting with the AWS API. A decrypted secret is returned to the client application, which then uses it to access the resource.

Automatic key rotation is accomplished by tight integration with AWS services such as AWS RDS. There is no need to manually rotate your credentials, which might require application changes or downtime. AWS Secrets Manager handles it all for you.

There’s more…

AWS Secrets Manager also allows you to:

  • Set up policies that prevent developers from accessing production credentials
  • Audit changes to secrets with CloudTrail
  • Tag secrets in order to manage them with tag-level permissions
  • Automate the rotation of credentials with direct RDS integration
  • Use VPC endpoints to keep the transmission of secrets on your private network

Comments are closed.