3 min to read
AWS Secrets Manager - Secure Secret Management Service
A comprehensive guide to AWS Secrets Manager and its features
Overview
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources.
Without the upfront investment and ongoing maintenance costs of operating your own infrastructure, you can manage and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Key Features of AWS Secrets Manager
Secure Secret Storage and Management
- Securely store and retrieve secrets
- Encrypt secrets using AWS KMS
- Centralized secret management
Fine-grained Access Control
- Define granular permissions using IAM policies
- Control who can access or modify specific secrets
- Integrate with existing AWS services
Automated Secret Rotation
- Support for automatic secret rotation
- Custom rotation schedules
- Integration with AWS Lambda for custom rotation functions
Audit and Monitoring
- Integration with AWS CloudTrail
- Monitor and log secret access
- Maintain compliance and identify security risks
AWS Secrets Manager CLI Commands
# Available Commands
aws secretsmanager help
# Common Commands
aws secretsmanager create-secret
aws secretsmanager get-secret-value
aws secretsmanager list-secrets
aws secretsmanager rotate-secret
aws secretsmanager delete-secret
Secret Types and Examples
1. Database Credentials
{
"username": "myDatabaseUser",
"password": "mySecurePassword",
"host": "myDatabaseHost",
"port": 3306
}
2. API Keys
{
"api_key": "sk_test_1234567890abcdef",
"secret_key": "sh_test_1234567890abcdef"
}
3. OAuth Tokens
{
"access_token": "ya29.1234567890abcdef",
"refresh_token": "1/1234567890abcdef",
"client_id": "myClientID.apps.googleusercontent.com",
"client_secret": "myClientSecret"
}
4. SSH Keys
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAz0FzLw1bmK5OzYDhLTVlLQzPgh6T9T...
... (rest of the private key) ...
-----END RSA PRIVATE KEY-----
Rotation Configuration
Rotation Settings
- Configure rotation frequency (minimum 1 day)
- Set up Lambda function for rotation
- Automatic trigger on schedule
Required Permissions
- Secrets Manager permissions
- Lambda function permissions
- Application permissions
Understanding OAuth and SSO
OAuth Token Types
- Access Token
- Short-term credentials
- Used for resource access
- Has expiration time
- Refresh Token
- Long-term credentials
- Used to obtain new access tokens
- Reduces need for frequent re-authentication
OAuth Token Flow
sequenceDiagram
participant Resource_Owner as Resource Owner (Financial Customer)
participant Client as Client (Fintech Application)
participant Auth_Server as Authorization Server (Financial Institution Server)
participant Resource_Server as Resource Server (Financial Open API Provider)
Resource_Owner->>Client: 1. Request for Permissions (Direct/Indirect)
Client->>Resource_Owner: 2. Authorization Grant
Client->>Auth_Server: 3. Access Token Request
Auth_Server->>Client: 4. Access Token Issuance (Optional: Refresh Token Issuance)
Client->>Resource_Server: 5. Protected Resource Request (Certified by Access Token)
Resource_Server->>Client: 6. Service Response
SSO Process
- User initiates login
- Application redirects to OAuth provider
- User grants permissions
- OAuth provider issues authentication code
- Application exchanges code for tokens
SSO Flow
sequenceDiagram
participant User as User
participant Application as Application
participant OAuth_Provider as OAuth Provider
User->>Application: 1. Initiates Login
Application->>OAuth_Provider: 2. Redirects to OAuth Provider
OAuth_Provider->>User: 3. Prompts for Permissions
User->>OAuth_Provider: 4. Grants Permissions
OAuth_Provider->>Application: 5. Issues Authentication Code
Application->>OAuth_Provider: 6. Exchanges Code for Tokens
OAuth_Provider->>Application: 7. Issues Access & Refresh Tokens
Application->>User: 8. Grants Access
Comments