Skip to content

AWS CDK package to create an AWS SecretsManager secret and enable secret rotation.

License

Notifications You must be signed in to change notification settings

idenfy/AwsSecretCdk

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AWS Secret Cdk

A library to create and provision secrets by AWS SecretsManager. This library makes it easy to create secrets with secret rotation.

Remarks

The project is written by Laimonas Sutkus and is owned by iDenfy. This is an open source library intended to be used by anyone. iDenfy aims to share its knowledge and educate market for better and more secure IT infrastructure.

Related technology

This project utilizes the following technology:

  • AWS (Amazon Web Services).
  • AWS CDK (Amazon Web Services Cloud Development Kit).
  • AWS CloudFormation.
  • AWS SecretsManager.

Assumptions

This library project assumes the following:

  • You have knowledge in AWS (Amazon Web Services).
  • You have knowledge in AWS CloudFormation and AWS SecretsManager.
  • You are managing your infrastructure with AWS CDK.
  • You are writing AWS CDK templates with a python language.

Install

The project is built and uploaded to PyPi. Install it by using pip.

pip install aws-secret-cdk

Or directly install it through source.

./build.sh -ic

Description

SecretsManager is a great AWS service to manage your secrets e.g. database password. It is really easy to create and configure a secret through AWS console (UI). However it is notoriously difficult to create and manage secrets through CloudFormation. You need to create a lambda function, which executes secret rotation, ensure correct lambda function permissions and security groups, correctly configure secrets themselves with correct templates, etc. This library tackles this problem. In a nutshell, you just provide a database, for which the secret should be applied, and some other params. And that's it! You're good to go.

One big note - this library can be used on existing databases.

Examples

Here are the examples on how to use this library with various scenarios.

RDS (MySql and Aurora MySql compatible) Single user rotation

To create a SecretsManager Secret for an RDS database with 30 days rotation, create a Secret instance.

from aws_cdk.core import Stack
from aws_cdk.aws_ec2 import Vpc
from aws_cdk import aws_rds
from aws_secret_cdk.vpc_parameters import VPCParameters
from aws_secret_cdk.aurora_mysql_single_user.secret import Secret

class MyStack(Stack):
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        
        # Suppose you have defined a VPC.
        self.vpc = Vpc(**kwargs)

        # Suppose you have a database (or a cluster).
        self.database = aws_rds.CfnDBCluster(**kwargs)
        
        # Now simply create a secret with 30 day rotation.
        self.rds_secret = Secret(
            stack=self,
            prefix='MyResourcesPrefix',
            vpc_parameters=VPCParameters(
                rotation_lambda_vpc=self.vpc,
                rotation_lambda_security_groups=[
                    # Your SG's.
                ],
                # NOTE! Ensure that your private subnets have a NAT gateway
                # or have a VPC endpoint in order to reach SecretsManager
                # API which is outside your own VPC.
                rotation_lambda_subnets=self.vpc.private_subnets
            ),
            database=self.database
        )

And that's pretty much it. From now own your database password will be stored in a SecretsManager and will be roted every 30 days.

Using the new secret

In order to retrieve the secret, use this sample code below.

# Use this code snippet in your app.
# If you need more information about configurations or implementing the sample code, visit the AWS docs:   
# https://aws.amazon.com/developers/getting-started/python/

import boto3
import base64
from botocore.exceptions import ClientError


def get_secret():

    secret_name = "test"
    region_name = "eu-west-1"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        # Some error happened here. Log it / handle it / raise it.
        raise e
    else:
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            secret = base64.b64decode(get_secret_value_response['SecretBinary'])
            
        return secret

About

AWS CDK package to create an AWS SecretsManager secret and enable secret rotation.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published