-2

I am new to AWS and I have some secrets(ClientID and ClientSecrets) stored in dynamodb which I need to move to AWS secrets manager. What is the best way to do this? Automation is a preferred way.

smac2020
  • 9,637
  • 4
  • 24
  • 38
Baba
  • 2,059
  • 8
  • 48
  • 81
  • 1
    Consider writing a shell script using the awscli. – jarmod Feb 13 '23 at 17:33
  • Since you mentioned terraform, you could conceivably use `aws_dynamodb_table_item` to read the current secret values, and then `aws_secretsmanager_secret_version` to store the value in Secrets Manager. Or just write a quick Python script, or shell script, and run it once and be done with it. – Mark B Feb 13 '23 at 19:06

1 Answers1

2

You can write custom logic using the AWS SDK. You need to create 2 Service clients in the supported SDK you want to use. For example, you can implement this in Python, .NET, Java, and so on.

  1. DynamoDB Service Client.
  2. Secrets Manager Service Client.

Now query the secrets you want to retrieve from DynamoDB by invoking the DynamoDB Service Client's query(). As you are using Python, you can use: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html.

Once you get your result set, use the data to create secrets by invoking the Secrets Manager Service Client's createSecret(). You can use: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html

To automate this, wrap this logic in an AWS Lambda function and then schedule it using a cron expression or Amazon EventBridge. For details, see:

Schedule AWS Lambda functions using EventBridge

smac2020
  • 9,637
  • 4
  • 24
  • 38
  • When you say 2 service client, what does that mean? Are you referring to 2 API's? I use Python. – Baba Feb 13 '23 at 18:14
  • I also use Terraform because I don't have full access to the console – Baba Feb 13 '23 at 18:14
  • Exactly to use Python and AWS SDK - you need to use DynamoDB Service Client and Secrets Manager Service Client in Python. – smac2020 Feb 13 '23 at 18:17
  • REF Docs -- https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/dynamodb.html – smac2020 Feb 13 '23 at 18:19
  • How about this? Rather than having two service client for dynamoDb and secrets manager, I create a private API with two python functions one for retrieving dynamodb information and the other to create secrets in secret manager. The second function will accept a parameter. Then use eventbridge to schedule it. – Baba Feb 13 '23 at 18:29
  • EventBridge sounds like extreme overkill for something that you should only need to run once. Regardless of how you do it, the python code needs to create a service client object for each service you are interacting with. The whole service client thing is really just an implementation detail of how you use the AWS SDK, and not something to get hung-up on. – Mark B Feb 13 '23 at 19:03