How to create a secret in AWS Secrets Manager?

Creating a secret in AWS Secret Manager is pretty straightforward.

Here are the steps to follow:

STEP1: Go to AWS Secrets Manager

Once you register on AWS , login to the console and navigate to AWS Secret Manager

Then click on Store a new secret:

STEP2: Choose the type of secret and enter the secret value.

Once you click on “Store a new secret” button you will be prompted to choose the type of secret.

It could be for accessing AWS resources like Amazon RDS, Amazon DocumentDB, Amazon Redshift, other databases or for any other type of credentials.

I chose the last option.

You can enter the secret next.

You will be given two format to enter the secrets – Key/Value pairs or JSON.

I chose the JSON type below and added my secret.

Advertisements

STEP3: Give a name to the secret

Give a name to the secret in the next step. The name should be separated by “/” character. This can be used to store different secrets for different profiles like dev/ , test/, prod/ etc.

STEP4: Store the secret

Finally save the secret , you can also enable automatic rotation during this step.

If you do so you will be asked to change the credentials every 30 days (default).

You will also be provided with sample code to access the credentials from your application:

You can find your secret listed under the secrets page:

Every resource in AWS will have a unique ARN (Amazon Resource Name).

You can find out this under Secret ARN:

Advertisements

Here is the code snippet provided by AWS on creating the secret:

// Use this code snippet in your app.
// If you need more information about configurations or implementing the sample code, visit the AWS docs:
// https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-samples.html#prerequisites

public static void getSecret() {

    String secretName = "arn:aws:secretsmanager:ap-south-1:022309017910:secret:test/awssecret-IJtY1P";
    String region = "ap-south-1";

    // Create a Secrets Manager client
    AWSSecretsManager client  = AWSSecretsManagerClientBuilder.standard()
                                    .withRegion(region)
                                    .build();
    
    // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    // We rethrow the exception by default.
    
    String secret, decodedBinarySecret;
    GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
                    .withSecretId(secretName);
    GetSecretValueResult getSecretValueResult = null;

    try {
        getSecretValueResult = client.getSecretValue(getSecretValueRequest);
    } catch (DecryptionFailureException e) {
        // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InternalServiceErrorException e) {
        // An error occurred on the server side.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InvalidParameterException e) {
        // You provided an invalid value for a parameter.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InvalidRequestException e) {
        // You provided a parameter value that is not valid for the current state of the resource.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (ResourceNotFoundException e) {
        // We can't find the resource that you asked for.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    }

    // Decrypts secret using the associated KMS CMK.
    // Depending on whether the secret is a string or binary, one of these fields will be populated.
    if (getSecretValueResult.getSecretString() != null) {
        secret = getSecretValueResult.getSecretString();
    }
    else {
        decodedBinarySecret = new String(Base64.getDecoder().decode(getSecretValueResult.getSecretBinary()).array());
    }

    // Your code goes here.
}

That’s it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s