How to connect to AWS Secrets Manager service within a Virtual Private Cloud via VPC Endpoint

awsmine

Revathi Joshi

Posted on August 11, 2023

How to connect to AWS Secrets Manager service within a Virtual Private Cloud via VPC Endpoint

When your application running on an EC2 instance within an Amazon VPC communicates with Secrets Manager, this communication traverses the public internet.

In this post, I am going to show you how to use Secrets Manager with an Amazon VPC endpoint so as to keep traffic between your VPC and Secrets Manager within the AWS network and meet your compliance and regulatory requirements to limit public internet connectivity.

This application requires a database password to an RDS instance running in the same VPC. I have stored the database password in Secrets Manager.

First, retrieve a secret stored in Secrets Manager from an Amazon EC2 instance and then when the request is sent to Secrets Manager, the entire data flow is contained within the VPC and the AWS network.

you can visit my other blog on Secretsmanager
Manage the RDS Database credentials using AWS Secret Manager and Monitor it thru CloudTrail

Please visit my GitHub Repository for RDS articles on various topics being updated on constant basis.

Let’s get started!

Objectives:

1. Create RDS Security Group - RDS-SG

2. Create RDS MySQL instance

3. Store a new secret in Secretsmanager for the RDS database

4. Create an EC2 webserver

5. Create an Amazon VPC endpoint Security Group

6. Create an Amazon VPC endpoint for Secrets Manager

7. Access Secrets Manager through the VPC endpoint

Pre-requisites:

  • AWS user account with admin access, not a root account.

Resources Used:

What is AWS Secrets Manager?

Access an AWS service using an interface VPC endpoint

Steps for implementation to this project:

1. Create RDS Security Group - RDS-SG

On the EC2 Dashboard, In the left-hand navigation menu, under Networks & Security, click Security Groups - Create Security Group. Security group name - RDS-SG, default VPC, Click the Inbound rules tab, Click the Edit inbound rules button, Click the Add rule button, For the new rule, from the Type dropdown menu, select MYSQL/Aurora, In the dropdown menu to the right of the Source column for the new rule, find and select the launch-wizard-1 for the VPC security group, Click Save rules.

  • details Security group name - RDS-SG
  • details Security group ID - sg-0476abd45c05c6708

Image description

  • inbound rule
  • attach MSSQL/Aurora TCP 3306 sg-0b0ae898157dd45f6 - launch-wizard-1

Image description

  • outbound rule

Image description

2. Create RDS MySQL instance

On the Amazon RDS Console, Create database, Standard create, Engine type - MySQL, Templates - Free tier, Under Settings, DB instance identifier - database-1, Master username - admin, Check Manage master credentials in AWS Secrets Manager, Select the encryption key - aws/secretsmanager (default), DB instance class - db.t3.micro, Allocated storage - 20 GB, Storage autoscaling - uncheck Enable storage autoscaling, Under Connectivity, uncheck leave the Don't connect to an EC2 compute resource, select the existing default VPC, Under VPC security group, select RDS-SG and remove the default security group, Under Availability zone us-east-1a, Expand Additional configuration and, Monitoring - Uncheck Enable Enhanced monitoring, under Initial database name, enter rds, Under Additional Configuration, Backup - Uncheck Enable automated backups, Maintenance - Uncheck Enable auto minor version upgrade, Deletion protection - Uncheck Enable deletion protection, Take all defaults

  • Create database

1.

Image description

2.

Image description

3.

Image description

4.

Image description

5.

Image description

6.

Image description

7.

Image description

8.

Image description

9.

Image description

  • Wait for 5-6 minutes to see the database created.

  • summary RDS database

Image description

3. Store a new secret in Secretsmanager for the RDS database

1.

Image description

2.

Image description

3.

Image description

4. Create an EC2 webserver

From the EC2 Dashboard, create an EC2 instance with the following parameters.

1.

Image description

2.

Image description

  • details Security group name - launch-wizard-1
  • details Security group ID - sg-0b0ae898157dd45f6

Image description

  • inbound rule

Image description

  • outbound rule
  • attach MSSQL/Aurora TCP 3306 sg-0476abd45c05c6708 - RDS-SG

Image description

3. summary details of EC2instance

Image description

5. Create an Amazon VPC endpoint Security Group

  • details - VPCEndpoint Security Group Name - VPCEndpoint-SG
  • details - Security group ID sg-0480ba360a98eb8ca

Image description

  • inbound rule
  • attach SSH 22 Custom 0.0.0.0/0
  • attach HTTPS 443 Custom 0.0.0.0/0

Image description

  • outbound rule

Image description

6. Create an Amazon VPC endpoint for Secrets Manager

1.

Image description

2.

Select the Enable DNS Name checkbox for the VPC endpoint. Private DNS resolves the standard Secrets Manager DNS hostname https://secretsmanager.region.amazonaws.com. to the private IP addresses associated with the VPC endpoint specific DNS hostname. As a result, you can access the Secrets Manager VPC Endpoint via the AWS Command Line Interface (AWS CLI) or AWS SDKs without making any code or configuration changes to update the Secrets Manager endpoint URL.

Image description

3.

Image description

4.

Image description

5.

Image description

  • Create endpoint

6.

Details tab shows all the DNS hostnames generated while creating the Amazon VPC endpoint that can be used to connect to Secrets Manager.

  • I am going to use the standard endpoint secretsmanager.us-east-1.amazonaws.com or one of the VPC-specific endpoints to connect to Secrets Manager within the default VPC vpc-0da931f5deb73c9e2 where my RDS instance and application also resides.

Image description

6. Access Secrets Manager through the VPC endpoint

  • login to EC2 - EC2 Connect


aws secretsmanager get-secret-value \
   --secret-id rdssecret \
   --query SecretString \
   --output text


Enter fullscreen mode Exit fullscreen mode
  • output text

Image description



[ec2-user@ip-172-31-35-198 ~]$ aws secretsmanager get-secret-value \
--secret-id rdssecret1 \
--query SecretString \
--output text
{"username":"admin","password":"admin1234","engine":"mysql","host":"database-1.cgizjtuyxkda.us-east-1.rds.amazonaws.com","port":3306,"dbname":"rds","dbInstanceIdentifier":"database-1"}
[ec2-user@ip-172-31-35-198 ~]$

Enter fullscreen mode Exit fullscreen mode




Cleanup

  • delete RDS Database
  • delete EC2 Instance
  • delete VPC Endpoint
  • delete Secret

What we have done so far

  • I have shown you how to create a VPC endpoint for AWS Secrets Manager and retrieve an RDS database secret using the VPC endpoint.
  • It enables your applications running within a VPC to use Secrets Manager while keeping traffic to Secrets Manager within your VPC.
  • your applications that interact with Secrets Manager do not require any code or configuration changes.
💖 💪 🙅 🚩
awsmine
Revathi Joshi

Posted on August 11, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related