Access AWS Secrets Manager from your container using AWS SDK

rajitpaul

Rajit Paul

Posted on August 19, 2023

Access AWS Secrets Manager from your container using AWS SDK

In case you need to store your credentials securely at a place and not in your application code, AWS Secrets Manager can become your ideal choice.

AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles.
[Source: AWS Docs]

Today, we are going to look into how to fetch a secret from AWS Secrets Manager inside your container using AWS SDK, we shall be using the Python SDK (boto3). I shall be going ahead with a dummy secret for this demo but you can use the same process to fetch DB Passwords, Application Credentials or other critical tokens that you should not hardcode onto your application source code.

Pre-Requisites

  • An AWS Account
  • An user with full access to AWS Secrets Manager and EC2

Creating a secret in the Secret Manager

We shall be going ahead with other type of secrets but in your case you can go ahead and store secrets if you are using AWS Native Databases services as well.
We have chosen aws/secretsmanager as the Encryption Key, you can have a Customer Managed KMS Key to encrypt yoru secret based on your requirement.

Image description

In the next window, you shall be asked to provide a secret name in our case we have provided test/mysecret, you can leave the rest of the options as default.

Image description

Click on next, and if you wish to enable automatic rotation you can do so in this window, this would also require a lambda function that will rotate the secret.

Click next and in the Review section you shall be getting a code snippet for multiple languages, according to your needs you can choose one, in this case I shall be going ahead with Python3 and we shall use that later.

Image description

Launching an EC2 Instance and installing Docker

Create an instance providing the name and selecting the instance type.

Image description

Choose an instance type and your keypair, if you don't have a keypair you can create one using the create keypair option.

Image description

You can keep the network settings as default, for this demo I'm keeping the SSH Access open from anywhere, it's recommended to keep restricted access from the same.

Image description

Once the instance is launched you can ssh into the instance and install docker

Image description

Start the docker service

Image description

Creating an IAM Role for EC2 to access Secrets Manager

Select EC2 as the trusted entity type

Image description

Choosing the SecretsManager R/W Permission, in your case you can choose a granular permission

Image description

Provide a role name and create the role

Image description

Attach the role to your EC2 Instance

Image description

Image description

Launch an Ubuntu Container and Access Secrets Manager

sudo docker run -it ubuntu /bin/bash

Image description

Install Python3 and boto3 in the container

apt update && apt install python3 -y
Image description

apt install python3-pip -y
Image description

pip3 install boto3
Image description

We shall also install vim in the container using - apt install vim -y

Access Secrets Manager inside the container using a Python Script

We shall use the code snippet we got while creating the secret and add a command to print the secret, and subsequently a call statement to call the get_secret method.

https://raw.githubusercontent.com/RajitPaul11/AWS-Security/main/access-secrets-manager-using-boto3.py

Output

Image description

Image description

CleanUp

Terminate the EC2 Instance and schedule deletion for the secret, the minimum duration is 7 days.

💖 💪 🙅 🚩
rajitpaul
Rajit Paul

Posted on August 19, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related