100-Day DevOps Journey Blog

Day 63 of 100 Days : Secret Management on AWS – Simplified and Secure!

Munilakshmi G J's photo
Munilakshmi G J
·

4 min read

Hello, awesome learners! 🎉 Welcome to Day 63 of my 100 Days of DevOps journey. Today, let’s unravel one of the most intriguing and most-asked topics in interviews: Secret Management on AWS. Don’t worry, I’ll keep it simple, fun, and insightful with examples to make this knowledge stick!

Why Is Secret Management Important?

Imagine building a secure CI/CD pipeline. Your Docker registry credentials, database usernames, passwords, or API keys are the heart of your infrastructure. If these secrets are compromised, your system’s security is at stake.

AWS provides excellent tools for securely managing secrets across services like Terraform, Ansible, Docker, and more. Let’s explore how to leverage them effectively!

Secret Management Services in AWS

1. AWS Systems Manager (Parameter Store)

Best for: Storing non-critical credentials or string-based parameters.
AWS Systems Manager’s Parameter Store is a great starting point. It’s super simple to use, but remember—this service is less secure than others, so it’s ideal for storing non-sensitive data.

How It Works:

  • Storage: Stores parameters as plain text, SecureString, or string lists.

  • IAM Integration: Use IAM roles to control access to these parameters.

Example: Storing a Docker Registry Username

  1. Navigate to the Parameter Store in AWS Systems Manager.

  2. Create a new parameter, name it docker-username, and set its type to SecureString.

  3. Retrieve the value in your code:

     aws ssm get-parameter --name "docker-username" --with-decryption --region us-east-1

  4. Grant appropriate IAM permissions to the service accessing this parameter.

2. AWS Secrets Manager

Best for: Storing highly sensitive data like passwords, API keys, and certificates.

AWS Secrets Manager takes security up a notch! It can automatically rotate secrets like passwords every 90 days, ensuring your credentials stay fresh and safe.

Key Features:

  • Automated secret rotation (e.g., passwords).

  • Track validity dates for certificates.

  • Easily integrate with other AWS services like RDS or Lambda.

Example: Rotating a Database Password Automatically

Let’s say your app connects to an RDS database. Here’s how you can automate secret rotation:

  1. Store the database password in Secrets Manager.

  2. Enable automatic rotation and specify the Lambda function to update the database password.

  3. Retrieve the secret securely in your app:

     aws secretsmanager get-secret-value --secret-id MyDatabaseSecret --region us-east-1

3. HashiCorp Vault

Best for: Multi-cloud environments or hybrid architectures.

If your company uses AWS, Azure, or other cloud providers, managing secrets across platforms can be daunting. Enter HashiCorp Vault—a centralized, open-source solution for secure secret management.

  • Supports encryption for added security.

  • Seamlessly transitions credentials between platforms during migrations.

Example: Storing an API Key

  1. Install HashiCorp Vault.

  2. Store an API key:

     vault kv put secret/api-key key=1234abcd

  3. Retrieve the API key:

     vault kv get secret/api-key

When to Use Each Service?

Use CaseServiceReason
Store non-sensitive dataAWS Systems ManagerEasy to use, integrates well with AWS
Store sensitive credentialsAWS Secrets ManagerAutomated rotation and high security
Multi-cloud or hybrid setupHashiCorp VaultCentralized, works across different clouds

Real-Life Scenario

Imagine a CI/CD pipeline where:

  1. The username for a Docker registry is stored in Parameter Store.

  2. The password is stored in Secrets Manager.

  3. Your organization uses both AWS and Azure, so HashiCorp Vault is used for API keys to ensure portability.

This approach balances simplicity and security, leveraging the best features of each service.

Practical Exercise: Secure Your Pipeline

Goal: Securely manage Docker credentials

  1. Store the username in Parameter Store.

  2. Store the password in Secrets Manager.

  3. Use HashiCorp Vault for storing API keys if transitioning across clouds.

Test your setup by granting limited IAM permissions and verifying access through your CI/CD pipeline.

Wrapping Up

Secret management is the backbone of a secure infrastructure. By choosing the right tool for the right task, you not only enhance security but also streamline your workflows. 🚀

Keep rocking your DevOps journey! 💻✨

Got questions? Let’s discuss in the comments below. See you on Day 64 with more exciting insights! 😊

secrets managementAWS secret managerAWS System Manager Parameter Storehashicorp-vaulthashicorpCloud ComputingDevopsDevops articlesDevOps Journey#Devopscommunity#90daysofdevops#90daysofdevops chanllenge100daysofdevopsDevSecOpsLearning Journey