In case you need to store your credentials securely at a place and not in your application code, AWS Secrets Manager can become your ideal choice.
AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles.
[Source: AWS Docs]
Today, we are going to look into how to fetch a secret from AWS Secrets Manager inside your container using AWS SDK, we shall be using the Python SDK (boto3). I shall be going ahead with a dummy secret for this demo but you can use the same process to fetch DB Passwords, Application Credentials or other critical tokens that you should not hardcode onto your application source code.
- An AWS Account
- An user with full access to AWS Secrets Manager and EC2
We shall be going ahead with other type of secrets but in your case you can go ahead and store secrets if you are using AWS Native Databases services as well.
We have chosen aws/secretsmanager as the Encryption Key, you can have a Customer Managed KMS Key to encrypt yoru secret based on your requirement.
In the next window, you shall be asked to provide a secret name in our case we have provided test/mysecret, you can leave the rest of the options as default.
Click on next, and if you wish to enable automatic rotation you can do so in this window, this would also require a lambda function that will rotate the secret.
Click next and in the Review section you shall be getting a code snippet for multiple languages, according to your needs you can choose one, in this case I shall be going ahead with Python3 and we shall use that later.
Create an instance providing the name and selecting the instance type.
Choose an instance type and your keypair, if you don't have a keypair you can create one using the create keypair option.
You can keep the network settings as default, for this demo I'm keeping the SSH Access open from anywhere, it's recommended to keep restricted access from the same.
Once the instance is launched you can ssh into the instance and install docker
Start the docker service
Select EC2 as the trusted entity type
Choosing the SecretsManager R/W Permission, in your case you can choose a granular permission
Provide a role name and create the role
Attach the role to your EC2 Instance
sudo docker run -it ubuntu /bin/bash
Install Python3 and boto3 in the container
We shall also install vim in the container using -
apt install vim -y
We shall use the code snippet we got while creating the secret and add a command to print the secret, and subsequently a call statement to call the get_secret method.
Terminate the EC2 Instance and schedule deletion for the secret, the minimum duration is 7 days.