Creating a secret in AWS Secret Manager is pretty straightforward.
Here are the steps to follow:
STEP1: Go to AWS Secrets Manager
Once you register on AWS , login to the console and navigate to AWS Secret Manager
Then click on Store a new secret:
STEP2: Choose the type of secret and enter the secret value.
Once you click on “Store a new secret” button you will be prompted to choose the type of secret.
It could be for accessing AWS resources like Amazon RDS, Amazon DocumentDB, Amazon Redshift, other databases or for any other type of credentials.
I chose the last option.
You can enter the secret next.
You will be given two format to enter the secrets – Key/Value pairs or JSON.
I chose the JSON type below and added my secret.
STEP3: Give a name to the secret
Give a name to the secret in the next step. The name should be separated by “/” character. This can be used to store different secrets for different profiles like dev/ , test/, prod/ etc.
STEP4: Store the secret
Finally save the secret , you can also enable automatic rotation during this step.
If you do so you will be asked to change the credentials every 30 days (default).
You will also be provided with sample code to access the credentials from your application:
You can find your secret listed under the secrets page:
Every resource in AWS will have a unique ARN (Amazon Resource Name).
You can find out this under Secret ARN:
Here is the code snippet provided by AWS on creating the secret:
// Use this code snippet in your app.
// If you need more information about configurations or implementing the sample code, visit the AWS docs:
// https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-samples.html#prerequisites
public static void getSecret() {
String secretName = "arn:aws:secretsmanager:ap-south-1:022309017910:secret:test/awssecret-IJtY1P";
String region = "ap-south-1";
// Create a Secrets Manager client
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion(region)
.build();
// In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
// See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
// We rethrow the exception by default.
String secret, decodedBinarySecret;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (DecryptionFailureException e) {
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InternalServiceErrorException e) {
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidParameterException e) {
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidRequestException e) {
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (ResourceNotFoundException e) {
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (getSecretValueResult.getSecretString() != null) {
secret = getSecretValueResult.getSecretString();
}
else {
decodedBinarySecret = new String(Base64.getDecoder().decode(getSecretValueResult.getSecretBinary()).array());
}
// Your code goes here.
}
That’s it!
Leave a Reply