In recent updates, AWS Secrets Manager has been introduced to simplify the process of rotating, managing, and retrieving database credentials, API keys, and other sensitive information throughout their lifecycle. This service allows you to configure automatic rotation of secrets, thereby assisting in fulfilling your security and compliance objectives. AWS Secrets Manager seamlessly integrates with MySQL, PostgreSQL, and Amazon Aurora databases on Amazon RDS, enabling native credential rotation. Access to these secrets can be managed through detailed AWS Identity and Access Management (IAM) policies. When secrets are retrieved, developers can replace plaintext credentials with calls to Secrets Manager APIs, removing the necessity to hard-code secrets into source code or modify configuration files, which often results in redeployment when secrets change.
In this post, we will explore the primary features of Secrets Manager. Additionally, I will demonstrate how to securely store a credential for a MySQL database on Amazon RDS and how applications can access this secret. Finally, we will configure Secrets Manager for automatic credential rotation.
Key Features of Secrets Manager
- Safe Secret Rotation: Secrets Manager allows for automatic secret rotation without disrupting your applications. For Amazon RDS databases supporting MySQL, PostgreSQL, and Amazon Aurora, there are built-in integrations for credential rotation. Custom rotation requirements can be addressed by creating an AWS Lambda function. For example, you might develop a Lambda function to rotate OAuth tokens utilized in mobile applications. Developers and applications can access secrets from Secrets Manager, which eliminates the need to send secrets via email or to update and redeploy applications following a secret rotation.
- Centralized Secret Management: You have the capability to store, view, and manage all your secrets in one place. By default, Secrets Manager encrypts these secrets using keys that you own and control. You can use fine-grained IAM policies to manage access to secrets. For instance, you could require additional authentication from developers when they attempt to access a production database credential. Moreover, tagging secrets can help in organizing and controlling access to them across your organization.
- Monitoring and Auditing: Secrets Manager integrates with AWS logging and monitoring tools to ensure compliance with security requirements. You can audit AWS CloudTrail logs to track when Secrets Manager rotated a secret or set up AWS CloudWatch Events to notify you when an administrator deletes a secret.
- Pay-As-You-Go Model: You only pay for the secrets stored in Secrets Manager and their usage; there are no long-term contracts or licensing fees.
Getting Started with Secrets Manager
Now that you’re acquainted with the key features, I will guide you through the process of storing a MySQL database credential in Secrets Manager. For demonstration purposes, we will utilize a Python application running on Amazon EC2 that requires this database credential to connect to the MySQL instance. Finally, we will set up Secrets Manager to rotate this credential automatically.
Phase 1: Storing a Secret in Secrets Manager
To begin, access the Secrets Manager console and choose to store a new secret. I select “Credentials for RDS database” as I will be storing the credentials for a MySQL database on Amazon RDS. In this example, I will store the keys for the database superuser, as it provides the most extensive database access.
Note: To store secrets in Secrets Manager, you must have the necessary permissions. You can use the AWSSecretsManagerReadWriteAccess managed policy for this purpose. For more information on the required IAM permissions, visit this comprehensive resource on this topic.
Next, I review the encryption settings and opt for the default encryption. Secrets Manager will encrypt this secret with the default key in this account. Alternatively, I can select a custom KMS key stored in AWS KMS.
Next, I select the relevant Amazon RDS instance and proceed with naming and describing the secret. For this instance, I name it “Applications/MyApp/MySQL-RDS-Database” and provide a description, then click “Next.”
In the subsequent step, I leave the setting for automatic rotation disabled since my application on Amazon EC2 has not yet been updated to utilize Secrets Manager APIs. I will enable rotation after my application is modified (see Phase 2).
Note: If you’re managing a secret that isn’t actively employed in your application, consider enabling automatic rotation. For guidance on rotation, refer to this insightful blog post.
After reviewing the information presented, if everything seems accurate, I select “Store.” We have now successfully saved a secret in Secrets Manager.
I then choose “See sample code” to view the provided code snippets, which I will use to update my application for secret retrieval through Secrets Manager APIs.
Phase 2: Updating an Application to Retrieve Secrets from Secrets Manager
Having stored the secret, I will now update my application to fetch the database credential from Secrets Manager rather than hard-coding it in configuration files. I will demonstrate how to configure a Python application to access this secret.
First, I connect to my Amazon EC2 instance using Secure Shell (SSH). Previously, my application retrieved database credentials from a configuration file. The source code for that application is as follows:
import MySQLdb
import config
def no_secrets_manager_sample():
# Get the user name, password, and database connection info from a config file.
database = config.database
user_name = config.user_name
password = config.password
# Connect to the database using the user name, password, and connection info
db = MySQLdb.connect(database.endpoint, user_name, password, database.db_name, database.port)
Now, I will modify my application to retrieve the user name and password from Secrets Manager. Here’s the updated code that sets up the client and retrieves the secret “Applications/MyApp/MySQL-RDS-Database”. I’ve included comments to clarify the code:
# Use the code snippet provided by Secrets Manager.
import boto3
from botocore.exceptions import ClientError
def get_secret():
# Define the secret you want to retrieve
secret_name = "Applications/MyApp/MySQL-RDS-Database"
By applying these steps, you will have successfully implemented automatic credential rotation for your Amazon RDS database using AWS Secrets Manager, ensuring enhanced security and compliance for your applications at Amazon IXD – VGT2, located at 6401 E Howdy Wells Ave, Las Vegas, NV 89115.
Leave a Reply