swirl
Home Software Blog Wallpapers Webtools
AWS Secrets Manager
Monday 25, January 2021   |   Post link

Overview

The blog post explores the use of AWS Secrets Manager - what problem it solves, how we store secrets using the AWS Management Console, configurations required for reading secrets and application code to read secrets.

The problem of managing secrets

Application usually need to use user-ids and passwords to access various resources like databases. Suppose your solution comprises of multiple application each application has a copy of these credentials.

The situation is made worse when the solution is distributed across multiple machines. This increases the surface attack area from where a credential may be leaked.

What about distribution? What happens when the password for a particular database user is changed? How do we update secrets in all the affected applications?

AWS Secrets Manager

AWS Secrets Manager centralizes storage of secrets so application need not take on the added responsibility of storing secrets securely. AWS Secrets Managers also helps you to with best practices such a rotating keys periodically.

Steps to use AWS Secrets Manager

Identify the secret

The first activity is to identify those bits of information which need to be protected from leaking like user-ids, passwords, encryption keys and others. This type of information should be removed from code, application configuration files and other places and should be stored in AWS Secrets Manager instead.

Store the secret in Secrets Manager

We'll store a key value pair 'foo' & 'bar'. Open the AWS Management Console and navigate to the AWS Secrets Manager service. The name used in this example is 'for/testing'.

Store a new secret

Copy the ARN of the secret in a text editor as we'll need it in the next step.

Create an IAM policy

The next step is to create an IAM policy which allows 'read' access to the newly created secret.

Store a new policy

Note, only read access has been selected. Expand the 'Specify Secret Resource..' and click the link to add ARNs of the secrets.

Adding an arn

Click the 'List ARNs Manually' link to directly enter the ARN we copied earlier.

Add the arn manually

Create the IAM role

The next step is to create an IAM role to allow EC2 instances access the secret stored in the Secrets Manager via the role created in the previous step.

Add the arn manually

Note, we have selected EC2 in the above screenshot.

Add the arn manually

Select the policy we created in earlier, the policy is named 'GetSecret' in this example. Click 'Next: Tags' to proceed to the next screen. Click 'Next: Review' to move to the final screen.

Add the arn manually

Finally we provide the role name and a description and create the role. Click 'Create role' button.

Accessing the secret from Java

If you noticed, when you create a secret in AWS Secrets Manager, the console shows you sample code in various languages like Java, C#, Go etc. that you can use to read the secret. The code here is based on this same code.

The application is a simple console application which expects two arguements, the AWS region and the secret name. The source code is available on GiHub.

Running the code on an EC2 instance

The next step is the run the application on an EC2 instance. Spin up an EC2 instance, build the application and copy the jar file to the EC2 instance. If you now run the application, you'll see an error like this:

No access to secret

Why is this happening? We forgot the last thing which is to attach the IAM role we created to the EC2 instance. Navigate to EC2 dashboard in the AWS Management Console, select the EC2 instance and attach the IAM role we created.

Modify IAM role Select the EC2 instance

We we now rerun the application we see:

We read the secret


Categories: AWS (5) Java (9)

Comments

Posts By Year

2023 (5)
2022 (10)
2021 (5)
2020 (12)
2019 (6)
2018 (8)
2017 (11)
2016 (6)
2015 (17)
2014 (2)
2013 (4)
2012 (2)

Posts By Category

.NET (4)
.NET Core (2)
ASP.NET MVC (4)
AWS (5)
AWS API Gateway (1)
Android (1)
Apache Camel (1)
Architecture (1)
Audio (1)
Azure (2)
Book review (3)
Business (1)
C# (3)
C++ (2)
CloudHSM (1)
Containers (4)
Corporate culture (1)
Database (3)
Database migration (1)
Desktop (1)
Docker (1)
DotNet (3)
DotNet Core (2)
ElasticSearch (1)
Entity Framework (3)
Git (3)
IIS (1)
JDBC (1)
Java (9)
Kibana (1)
Kubernetes (1)
Lambda (1)
Learning (1)
Life (7)
Linux (1)
Lucene (1)
Multi-threading (1)
Music (1)
OData (1)
Office (1)
PHP (1)
Photography (1)
PowerShell (2)
Programming (28)
Rants (5)
SQL (2)
SQL Server (1)
Security (2)
Software Engineering (1)
Software development (2)
Solr (1)
Sql Server (2)
Storage (1)
T-SQL (1)
TDD (1)
TSQL (5)
Tablet (1)
Technology (1)
Test Driven (1)
Unit Testing (1)
Unit Tests (1)
Utilities (3)
VC++ (1)
VMWare (1)
VSCode (1)
Visual Studio (2)
Wallpapers (1)
Web API (2)
Win32 (1)
Windows (9)
XML (2)

Posts By Tags

.NET(6) API Gateway(1) ASP.NET(4) AWS(3) Adults(1) Advertising(1) Android(1) Anti-forgery(1) Asynch(1) Authentication(2) Azure(2) Backup(1) Beliefs(1) BlockingQueue(1) Book review(2) Books(1) Busy(1) C#(4) C++(3) CLR(1) CORS(1) CSRF(1) CTE(1) Callbacks(1) Camel(1) Certificates(1) Checkbox(1) CloudHSM(1) Cmdlet(1) Company culture(1) Complexity(1) Consumer(1) Consumerism(1) Containers(3) Core(2) Custom(2) DPI(1) Data-time(1) Database(4) Debugging(1) Delegates(1) Developer(2) Dockers(2) DotNetCore(3) EF 1.0(1) Earphones(1) Elastic Search(1) ElasticSearch(1) Encrypted(1) Entity framework(1) Events(1) File copy(1) File history(1) Font(1) Git(2) HierarchyID(1) IIS(1) Installing(1) Intelli J(1) JDBC(1) JSON(1) JUnit(1) JWT(1) Java(3) JavaScript(1) Kubernetes(1) Life(1) LinkedIn(1) Linux(2) Localization(1) Log4J(1) Log4J2(1) Lucene(1) MVC(4) Management(2) Migration history(1) Mirror(1) Mobile Apps(1) Modern Life(1) Money(1) Music(1) NGINX(1) NTFS(1) NUnit(2) OData(1) OPENXML(1) Objects(1) Office(1) OpenCover(1) Organization(1) PHP(1) Paths(1) PowerShell(2) Producer(1) Programming(2) Python(2) QAAC(1) Quality(1) REDIS(2) REST(1) Runtimes(1) S3-Select(1) SD card(1) SLF4J(1) SQL(2) SQL Code-first Migration(1) SSH(2) Sattelite assemblies(1) School(1) Secrets Manager(1) Self reliance(1) Service(1) Shell(1) Solr(1) Sony VAIO(1) Spirituality(1) Spring(1) Sql Express(1) System Image(1) TDD(1) TSQL(3) Table variables(1) Tables(1) Tablet(1) Ubuntu(1) Url rewrite(1) VMWare(1) VSCode(1) Validation(2) VeraCode(1) Wallpaper(1) Wallpapers(1) Web Development(4) Windows(2) Windows 10(2) Windows 2016(2) Windows 8.1(1) Work culture(1) XML(1) Yii(1) iTunes(1) renew(1) security(1)