0

We deployed our complete application in AWS environment and We find AWS Secret Manager is the right choice to store the secrets for the database and a few other components.

Our ultimate aim is not to store any credentials in the config file / database. It is achieved using AWS Secret Manager.

But when I try to connect the AWS Secret Manager for retrieving the secret value, I see it expects a field like "secret-id" as shown below, I need to protect this secret-id in some location so that I can use this in the application for accessing the secret value. 

aws secretsmanager get-secret-value --secret-id tutorials/MyFirstTutorialSecret
Harry
  • 3,072
  • 6
  • 43
  • 100
  • The `secret-id` doesn't need to be a secret. The _value_ of that ID is the secret. The `secret-id` tells Secrets Manager _which_ value to retrieve. – John Rotenstein Mar 06 '20 at 05:57

2 Answers2

0

If you want to hide your secret-id, you better have another security layer. How about store those secret-id in somewhere, AWS DynamoDB?

|   id   |            secret-id          |
| abc123 |tutorials/MyFirstTutorialSecret|

Then create a customized script (Bash/Python) which can be only accessed by you and privileged users?

$MYSECRETID = <Retrieve it from DynamoDB using `id` key>
aws secretsmanager get-secret-value --secret-id $MYSECRETID
Binh Nguyen
  • 1,891
  • 10
  • 17
0

AWS doesn't permit what you want as it uses the name of the secret as part of the ARN. However, you can either try to do some indirection like @leondkr suggests, or use policies to restrict who can even list what secrets exist. That could be done in either IAM or in the secret resource policy. See here for more information: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html The privilege you may want to restrict is secretsmanager:ListSecrets.

Here are the IAM actions for that service: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html

Foghorn
  • 2,238
  • 2
  • 13
  • 35