The Secret Life of AWS: Secrets Manager

-

 

The Secret Life of AWS: Secrets Manager

How to decouple sensitive credentials from your codebase and infrastructure

#AWS #SecretsManager #CloudFormation #DevOps



Margaret is a senior software engineer. Timothy is her junior colleague. They work in a grand Victorian library in London.

Secrets Management

Timothy was finalizing his new AWS CloudFormation templates. He had successfully modeled his entire global architecture in declarative YAML. He opened his terminal, typed git add ., and prepared to commit the files to the team's central repository.

"Before you hit enter," Margaret said, stepping into his workspace, "let us review the environment variables for the checkout microservice."

Timothy opened the Lambda function's configuration in his YAML file. "I have it passing the Stripe payment gateway API key as an environment variable, just like we configured it in the console," he said, pointing to the line of code: StripeApiKey: "sk_live_51H8..."

"If you commit that file," Margaret warned, "that live API key will be permanently etched into our Git history. Anyone with read access to the repository—every junior developer, QA tester, and contractor—will have full access to our production payment gateway. In a corporate environment, hardcoding secrets into source code or Infrastructure as Code is an immediate, critical security breach."

Timothy pulled his hands away from the keyboard. "If I cannot put the API key in the CloudFormation template, and I cannot hardcode it in my Node.js application, how does the Lambda function authenticate with Stripe?"

"We must decouple the secret from the code entirely," Margaret explained. "We will use AWS Secrets Manager."

The Secure Vault

Margaret opened the AWS Console and navigated to Secrets Manager.

"Secrets Manager is a highly secure vault," she explained. "Instead of storing the Stripe API key in your Git repository, we store it here. AWS encrypts the key at rest using the AWS Key Management Service (KMS). We can even define the secret's structure in your CloudFormation template using the AWS::SecretsManager::Secret resource, keeping everything in code except the actual secret value."

She created a new secret named prod/checkout/stripe-key and pasted the live API key into the secure value field.

"Now, we update your Lambda function's IAM Role," Margaret instructed. "We grant the function explicit permission to execute the secretsmanager:GetSecretValue action, but only for the exact ARN of this specific secret: arn:aws:secretsmanager:us-east-1:123456789012:secret:prod/checkout/stripe-key-*. The principle of least privilege still applies."

Dynamic Retrieval at Runtime

Timothy deleted the hardcoded environment variable from his CloudFormation template. He opened the index.js file for the checkout microservice.

"If the key isn't passed in as an environment variable, my code has to fetch it when the function runs," Timothy reasoned.

"Exactly," Margaret smiled. "You use the AWS SDK to retrieve it dynamically. And for high-volume functions, we can cache the secret in memory for a few minutes outside the main handler to avoid the API call latency and cost on every single request."

Timothy added the retrieval logic using the AWS SDK v3:

const { SecretsManagerClient, GetSecretValueCommand } = require("@aws-sdk/client-secrets-manager");
const client = new SecretsManagerClient({ region: "us-east-1" });

let cachedStripeKey = null;

async function getStripeKey() {
    if (cachedStripeKey) return cachedStripeKey;

    const command = new GetSecretValueCommand({ SecretId: "prod/checkout/stripe-key" });
    const response = await client.send(command);
    
    cachedStripeKey = response.SecretString;
    return cachedStripeKey;
}

"When a customer initiates a checkout, the Lambda function securely asks Secrets Manager for the API key, and stores it in memory just long enough to process the payment," Timothy observed. "The key is never written to disk."

The Power of Rotation

"Decoupling your secrets provides an additional enterprise advantage," Margaret noted. "Imagine if an engineer leaves the company, and the security team mandates that we rotate the Stripe API key. In your old architecture, you would have to search through your application code, update the CloudFormation templates, and trigger a full deployment just to change a string of text."

"And now?" Timothy asked.

"Now, you just log into Secrets Manager, paste the new key, and hit save," Margaret said. "The next time the Lambda function executes, it dynamically fetches the new key. Zero code changes. Zero deployments. For supported databases like Amazon RDS, Secrets Manager can even handle this rotation automatically on a schedule, rotating the password every thirty days without human intervention."

"Your CloudFormation templates are now safe to commit," Margaret concluded. "The secrets live elsewhere."

Timothy ran the git commit command. His infrastructure was automated, his code was version-controlled, and for the first time, his secrets were truly secure.

Key Concepts Introduced:

Hardcoded Secrets refer to the dangerous practice of embedding sensitive credentials—such as API keys, database passwords, or encryption certificates—directly into application source code or Infrastructure as Code (IaC) templates. When committed to version control systems like Git, these secrets become exposed to anyone with repository access forever, creating a severe security vulnerability.

AWS Secrets Manager is a managed service designed to protect secrets needed to access applications, services, and IT resources. It enables engineers to easily rotate, manage, and retrieve credentials throughout their lifecycle. Secrets are encrypted at rest using AWS Key Management Service (KMS). By storing credentials in Secrets Manager, architects decouple sensitive data from application logic and infrastructure definitions.

Dynamic Retrieval & Caching is the security best practice of fetching credentials at runtime via the AWS SDK, backed by strictly scoped IAM permissions. To optimize performance and reduce costs in high-volume serverless applications, these secrets are often cached temporarily in memory during the execution environment's lifecycle. This ensures that credential updates (such as a mandated API key rotation) take effect instantly without requiring application code changes or infrastructure deployments.

Aaron Rose is a software engineer and technology writer at tech-reader.blog. For explainer videos and podcasts, check out Tech-Reader YouTube channel.

Comments

Post a Comment

Popular posts from this blog

Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite

-
Image
Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite When you're building a headless server, IoT device, or lightweight project box, the last thing you want is bloatware eating your precious resources. Enter the world of minimal operating systems—where every megabyte matters and efficiency reigns supreme. Two contenders dominate this space: DietPi and Raspberry Pi OS Lite. Both promise lean, mean computing machines that boot straight to the command line. But scratch beneath the surface, and you'll find they take fundamentally different approaches to the "less is more" philosophy. The Minimalist's Dilemma Picture this: You've got a Raspberry Pi 3B+ sitting on your desk, destined to become a home media server. Do you go with the familiar comfort of Raspberry Pi OS Lite, or venture into DietPi's optimized territory? The choice isn't just about personal preference—it's about understanding what "minimal" means to each operatin...
Read more

The New ChatGPT Reason Feature: What It Is and Why You Should Use It

-
Image
The New ChatGPT Reason Feature: What It Is and Why You Should Use It Offers More Than Just a Simple Answer ChatGPT continues to evolve, constantly introducing new features that make user interactions more tailored and insightful. One of the latest additions is the Reason option, which you can access through the slash menu. At its core, this feature gives you more control over the depth of responses, specifically when you’re looking for more than just a simple answer. In this article, we’ll explore what the Reason feature is, where it originated, why it matters, and how you can make the most of it. What Is the Reason Feature? The Reason option prompts ChatGPT to provide a detailed, structured explanation that dives into the reasoning behind an answer. It focuses on giving a logical breakdown of how the conclusion was reached, rather than just providing a surface-level response. Essentially, it’s a way of saying, "I want to understand not just the answer, but the reasoning behind it...
Read more

Raspberry Pi Connect vs. RealVNC: A Comprehensive Comparison

-
Image
Raspberry Pi Connect vs. RealVNC:  A  Comprehensive Comparison The Raspberry Pi has revolutionized the way we interact with computers, providing a low-cost, highly adaptable platform for countless applications. One critical aspect of using a Raspberry Pi, especially for remote management and control, is the ability to access it from another device. Historically, RealVNC has been the go-to solution for this purpose. However, the recent introduction of Raspberry Pi Connect offers an integrated alternative. This article will compare Raspberry Pi Connect and RealVNC, exploring their features, requirements, and practical applications. Introduction to Raspberry Pi Connect Raspberry Pi Connect is a new VNC service directly integrated into Raspberry Pi OS 12. Designed for simplicity and ease of use, Connect aims to provide a seamless remote desktop experience for Raspberry Pi users. Currently in beta, Raspberry Pi Connect is free to use and requires a Raspberry Pi 4, 400, or 5 running...
Read more