How to Access API Keys, DB Credentials, etc. from AWS Secrets Manager in AWS Lambda | Step by Step

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] what's up everyone and welcome back to another episode of aws tutorial and today i'm going to show you how to use aws secrets manager to safely store and retrieve your sensitive information such as passwords api keys or or any other information that you may not be comfortable storing it in your application code i found that secrets manager is very helpful in the real world because for every application you have to access a database and you need to use your username and password for that and obviously it's not safe to expose those information in your application code so this is when secrets manager comes in handy because it allows you to store those sensitive information in the vault and you can configure that to only allow selective applications to access those information so that way you can ensure that no one can access your secrets from your application code and in this tutorial i'm going to use aws lambda written in python to access the secret but the idea is the same for all other applications so without further ado let's get to it okay so right now i'm on the homepage of the aws console so what we're going to do in this tutorial is that we're going to store two api keys in our sequence manager one is for dev and then the other one is for prod and then we're going to use aws lambda to access both of the api keys so step one is to store those secrets into our sequence manager so i'm going to type in secrets manager and then create a new secret um so in here you have the option to choose what type of secret it is you can use it for uh database obviously for user names and passwords and stuff and for us for this tutorial we're just going to use it for plain text like api keys so i'm going to select this one so for the key value the key is going to be api key value let me do the def one first so let's just do and obviously you can use it to store more than just one row or one key value up here you can add more key value pairs for it but for this tutorial we're just gonna have a api key and then next and in here we're gonna specify the path or secret name like how we're gonna access this secret um give it a name i'm just gonna call it gym meister slash dev key something like that description this is for dev hit next you can enable the auto rotation but for simplicity i'm just gonna skip that hit next store it's done and now you should be able to see one secret we have here for death and right now we're gonna create another one for prod so we're going to repeat the same process api key my test prod api key 456 because we had one two three before hit next so we're gonna follow the same structure gene minus two prod key for prod hit next hit next hit store okay so now we have two keys one is for def and then the other one is for prod and the difference and now the next step is to create a lambda function and access these keys but before we can do that we need to create an imrow for our lambda function to use otherwise they're not going to be able to access those keys remember we have to explicitly allow them to access our keys and that's what makes it safe so i'm gonna go to iam so before we can create a role we're gonna create a policy first create policy service we're going to select secrets manager and then we only allowed the lambda function to read from it because we only allow them to do the things that they need to do and then we're gonna specify resources we're gonna add the two arms so let's go back here the first one we're gonna add is the def secretary hit add and then we're gonna add the second one as well the plot one okay so this way in this policy we say that we only allowed the read access to these two secrets only it's not going to be able to write anything to it and it's not able to read anything other than these two secrets so if i add a third one to my main sequence manager the lender function is not going to be able to read them because they don't have a reason to read them and that's what we want to restrict access to okay so hit next review and then give it a name i'll just call it secret manager demo policy hit create okay and now we are ready to create a row and then attach the policy so hit rows create a row aws service we're going to choose lambda because the lambda function is going to use it and then we're going to search for that secret manager demo policy i think that's what we call it sequence manager maybe yes sequence manager so that's the one that we just created earlier i had a typo before so now selected it hit next give it the role name uh sequence manager demo row hit create okay so that is done let me search it to make sure that it's there yep it's there and now we're ready to move on to the next step which is to create a lambda function and access it uh so i'm gonna type in lender and then hit create function uh from scratch for the name i'm just gonna call it something like that and then we're gonna use python 3.9 and then permission we're going to use the imro that we just created which is that and then create a function okay so that is done right now and let's write down the codes to access our api keys from the secret manager so first thing first we're going to do some imports first one is boto3 the second one is base64 and then the third one we're going to do is uh decline error and we're going to import that from the photo core and now we are going to remove everything the first thing we're going to do is we're going to define a environment variable and we're taking that from our event object so that's going to be passed in by us and for the attribute we're just gonna let's just call it inf and depending on what the environment is we are gonna define our secret name and let me see and that should be something like this secret name except this one is gonna be flexible or parameterize so basically what it does is replace that with whatever the re-environment is if it's deaf it's going to set it to death if pride is going to set it to pride and then the region the region of where we store our secrets and i believe is u.s east so we're going to do us east i mean uss1 and then we're going to create a new session so we're going to do session photo 3 and then next we're gonna we're gonna define a client that we can use to get the secrets from the secret manager so the service name is sick chris manager all over case region name just the region name that we define here and then next we can use the client to retrieve the secrets from the sequence manager and we're going to do that in hy catch block just in case that we have errors or issues in the execution secret value response secret id is equal to the secret name that we defined and then if there is a client exception um for me i'm just going to print it out but you should handle that according to your application and then otherwise if there's no exception we're going to deal with it the response so there can be two types of response from the secret manager one is just string straightforward but then it can also be binary that we need to decode it so let's handle the string version of it first so if secret string is in the secret value response we're just gonna do a json load on the secret response so our secret is json.loads because it comes in as a string and we want it to be in a json format secret string and then let's just simply return that uh to the client whoever is calling it otherwise is a binary uh data and in that case we need to decode that using the base64 library so we're gonna do decoded binary secret and now you can do whatever you um what to do with the decoded secret and for me i'm just gonna return it to the client but you can do whatever you want uh depending on your application okay so that is done so now let's test it out let's save it first deploy and then hit test create a test event and in here we have to define our inf variable uh let's do that first because remember it takes in the inf uh parameter from the event object so he test okay so that seems to be working so it's getting our api key that is my test dev api key one two three and now let's test out the functionality to get the production api key so change that to pride hit save hit test again that should become my test prod api key 456 or something like that and yep there you go we're getting the prod api key from here and this is it everyone uh this is a pretty short tutorial i hope you have learned something and if you like this video i hope you can give it a thumbs up and i'll see you in the next video you

Info

Channel: Felix Yu

Views: 18,820

Rating: undefined out of 5

Keywords: aws, secrets manager, lambda, python, api key, db credentials, password

Id: bZCFxueebVQ

Channel Id: undefined

Length: 12min 56sec (776 seconds)

Published: Tue Aug 30 2022