Skip to content

AWS Secrets Manager in IT Common Platform#

Overview#

ITCP uses AWS Secrets minimally to hold credentials that are used in automation but have not benefited migration to vault. This document outlines the primary use cases and provides examples of how to interact with AWS Secrets Manager using Terraform.

Use Cases#

  1. Storing Database Credentials
  2. Managing SSH Keys for GitLab Runners
  3. Storing Access Keys for Harbor Users

Examples#

Storing Database Credentials#

The platform uses AWS Secrets Manager to store and retrieve database credentials for services like Harbor.

resource "aws_secretsmanager_secret" "harbor_postgres_creds" {
  for_each                = toset(var.cluster_names)
  name                    = "harbor-postgres-creds-${each.value}"
  recovery_window_in_days = 0
}

resource "aws_secretsmanager_secret_version" "harbor_postgres_creds" {
  for_each  = toset(var.cluster_names)
  secret_id = aws_secretsmanager_secret.harbor_postgres_creds[each.value].id
  secret_string = jsonencode({
    "password" : local.db_creds[each.value]["master_password"],
    "username" : local.db_creds[each.value]["master_username"],
    "engine" : aws_rds_cluster.serverless_aurora_v2[each.value].engine,
    "host" : aws_rds_cluster.serverless_aurora_v2[each.value].endpoint,
    "port" : aws_rds_cluster.serverless_aurora_v2[each.value].port,
    "dbClusterIdentifier" : aws_rds_cluster.serverless_aurora_v2[each.value].id
  })
}

Managing SSH Keys for GitLab Runners#

The platform generates SSH keys for GitLab Runners and stores the private key in AWS Secrets Manager.

resource "tls_private_key" "gitlab_runner_private_key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "aws_secretsmanager_secret" "ssm_gitlab_runner_private_key" {
  name        = "${var.env_name}-gitlab-runner-ssh-key"
  description = "Gitlab-runner SSH Key"
}

resource "aws_secretsmanager_secret_version" "ssm_gitlab_runner_private_key_secret" {
  secret_id     = aws_secretsmanager_secret.ssm_gitlab_runner_private_key.id
  secret_string = tls_private_key.gitlab_runner_private_key.private_key_pem
}

Storing Access Keys for Harbor Users#

The platform creates IAM users for Harbor and stores their access keys in AWS Secrets Manager.

resource "aws_secretsmanager_secret" "harbor_user_secrets" {
  for_each                = toset(var.cluster_names)
  name                    = "harbor-user-access-keys-${each.value}"
  recovery_window_in_days = 0
}

resource "aws_secretsmanager_secret_version" "harbor_user_keys" {
  for_each      = toset(var.cluster_names)
  secret_id     = aws_secretsmanager_secret.harbor_user_secrets[each.value].id
  secret_string = jsonencode(local.secret_map[each.value])
}

Best Practices#

  1. Use descriptive names for secrets to easily identify their purpose.
  2. Utilize the 'for_each' meta-argument to create multiple secrets for different
  3. Use 'jsonencode' to store structured data in the secret string.
  4. Set appropriate IAM policies to restrict access to secrets.

Accessing Secrets#

To access secrets in other resources or applications:

  • Create an IAM policy that allows reading the specific secret:
resource "aws_iam_policy" "secretsmanager_access_policy" {
  name        = "access-policy-for-secret"
  description = "Allows reading a specific secret"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = "secretsmanager:GetSecretValue"
        Resource = aws_secretsmanager_secret.example_secret.arn
      }
    ]
  })
}
  • Attach this policy to the IAM role of the resource that needs to access the secret.
  • In your application code or Lambda function, use the AWS SDK to retrieve the secret value:
import boto3

def get_secret(secret_name):
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId=secret_name)
    return response['SecretString']

By following these practices, the IT Common Platform ensures secure management of sensitive information across its infrastructure.