A newer version is available. For the latest information, see the
current release documentation.
Use AWS Secrets Manager
editUse AWS Secrets Manager
editAWS Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. For more info, refer to the AWS Secrets Manager documentation.
There are 2 types of secrets that can be used:
- SecretString (plain text or key/value pairs)
- SecretBinary
The following code shows API calls to AWS Secrets Manager:
inputs: - type: "s3-sqs" id: "arn:aws:sqs:%REGION%:%ACCOUNT%:%QUEUENAME%" outputs: - type: "elasticsearch" args: elasticsearch_url: "arn:aws:secretsmanager:eu-central-1:123456789:secret:es_url" username: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:username" password: "arn:aws:secretsmanager:eu-west-1:123456789:secret:es_secrets:password" es_datastream_name: "logs-generic-default"
To use a plain text or binary secret, note the following format for the ARN:
arn:aws:secretsmanager:AWS_REGION:AWS_ACCOUNT_ID:secret:SECRET_NAME
In order to use a key/value pair secret, you need to provide the key at the end of the arn, as per:
arn:aws:secretsmanager:AWS_REGION:AWS_ACCOUNT_ID:secret:SECRET_NAME:SECRET_KEY
-
Secrets from different regions are supported, but the only version currently retrieved for a secret is
AWSCURRENT
. - You cannot use the same secret for both plain text and key/value pairs.
- Secrets are case-sensitive.
-
Any configuration error or typo in the
config.yaml
file will be ignored (or exceptions raised) and secrets will not be retrieved. - Keys must exist in the AWS Secrets Manager.
- Empty values for a given key are not allowed.