Use AWS Secrets Manager

edit

AWS Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. For more info, refer to the AWS Secrets Manager documentation.

There are 2 types of secrets that can be used:

  • SecretString (plain text or key/value pairs)
  • SecretBinary

The following code shows API calls to AWS Secrets Manager:

inputs:
  - type: "s3-sqs"
    id: "arn:aws:sqs:%REGION%:%ACCOUNT%:%QUEUENAME%"
    outputs:
      - type: "elasticsearch"
        args:
          elasticsearch_url: "arn:aws:secretsmanager:eu-central-1:123456789:secret:es_url"
          username: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:username"
          password: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:password"
          es_datastream_name: "logs-generic-default"

To use a plain text or binary secret, note the following format for the ARN:

arn:aws:secretsmanager:AWS_REGION:AWS_ACCOUNT_ID:secret:SECRET_NAME

In order to use a key/value pair secret, you need to provide the key at the end of the arn, as per:

arn:aws:secretsmanager:AWS_REGION:AWS_ACCOUNT_ID:secret:SECRET_NAME:SECRET_KEY
  • Secrets from different regions are supported, but the only version currently retrieved for a secret is AWSCURRENT.
  • You cannot use the same secret for both plain text and key/value pairs.
  • Secrets are case-sensitive.
  • Any configuration error or typo in the config.yaml file will be ignored (or exceptions raised) and secrets will not be retrieved.
  • Keys must exist in the AWS Secrets Manager.
  • Empty values for a given key are not allowed.