How to create and store secrets using Secret Manager in AWS

Application secrets or credentials can be stored using the AWS Secret Manager securely. Secrets can be rotated, managed, and retrieved throughout their lifecycle using AWS Secret Manager. Access to secrets can also be restricted using AWS Identity and Access Management (IAM) policies and resource-based policies. For using AWS Secrets Manager, the user needs to pay only for the number of secrets managed in Secrets Manager and Secrets Manager API calls made.

To know more about AWS Secret Manager in detail, visit the official documentation here.

In this article, we will see the steps to create a secret and delete it. We will also see the steps to cancel the secret deletion or undo the deletion operation.

Pre-requisites

  1. AWS Account (Create if you don’t have one).

What will we do?

  1. Login to AWS.
  2. Create a secret.
  3. Delete the secret.
  4. Cancel deletion of the secret.

Login to AWS

Click here to go to AWS Login Page.

When we hit the above link, we will see a web page as follows where we are required to log in using our login details.

Login page

When you successfully login into an AWS account you will see the main AWS management console as follows.

Main Dashboard

Create a secret

To create a secret and store credentials, click on services at the top left of the screen and search for secret manager in the search box.

Click on the "Secret Manager" to go to the console to create your first secret.

Search for Secret Manager

This is the console of the AWS secret manager. Click on "Store a new secret".

Secret Manager Dashboard

Here, you will see different secret types that can be stored. If you have any of the databases mentioned, you can select the particular database instance and store its secrets.

We will see how to store secrets in terms of key:value pair.

Click on "Other type of secrets" radio button. You will get text boxes to store credentials in a key:value pair.

You can add multiple key:value paired credentials and store them under a single secret.

You can choose the encryption key that you want to be used to store the secrets in encrypted form.

Click on the "Next" button.

Create a secret

Give a name to the secret and add a description to it. You can add tags to the secret. You can also add resource permissions to restrict access to the secret. Click on the "Next" button to proceed.

Add details to the secret

You can enable or disable automatic rotation for secrets. Click on the "Next" button. Here we will proceed with the " Disable automatic rotation" option.

Configure automatic rotation

You will get a sample code to access your secrets. Finally, click on the "Store" button to create a secret containing your credentials.

Save the secret

Now that you have successfully created your secret, you can retrieve your credentials from it.

Click on the secret name.

Secret Dashboard

Here, if you click on "Retrieve secret value" you can read the credentials that you have stored in the secret.

Retrieve credentials stored in the secret

This is how you can see your credentials when you retrieve them.

Check secret values

You can even see the time when your secrets were accessed previously.

Last retrieved information of the secret

Delete the secret

When you no longer need your secrets it is better to delete them so that you are not billed by AWS.

To delete the secret click Actions -- > Delete secret.

Delete the secret

There is a minimum waiting period of seven days to a maximum of 30 days till which the secrets are preserved in AWS even after they are deleted. Once you schedule a secret for deletion you cannot retrieve it.

Enter a working period in the number of days and click on "Schedule deletion".

Schedule deletion

You will get the following screen after you schedule deletion of the secret.

Cancel deletion

Cancel deletion of the secret

If you have accidentally scheduled your secrets for deletion you can undo the deletion. You can either do it right after you schedule the secret for deletion in the screen that you get as shown above or you can see secrets that have been scheduled for deletion and then cancel the deletion.

By default, you do not see the secrets which have been scheduled for deletion. To see the secrets which have been scheduled for deletion click on the gear/setting icon.

Back to Secret Dashboard

Upon clicking on the gear icon you will see the screen as follows. Here, tick on the "Show secrets scheduled for deletion' check box and save the setting.

Show secrets scheduled for deletion

Now you can see the secrets which have been scheduled for deletion. Click on the secret that you want to cancel from deletion.

Secret Dashboard showing the secret scheduled for deletion

Here, you see the same screen that you saw after you have scheduled the secret for deletion.

Click on the "Cancel deletion" button.

This will undo the deletion task and you will be able to retrieve your credentials from the secret.

Cancel deletion

Click on "Cancel deletion" to confirm your operation.

Confirm cancel-deletion operation

You have successfully restored your secret and now you can retrieve your credentials at any time.

Secret is not available again

Now, do not forget to schedule deletion for your secret otherwise you will be billed for it.

Conclusion

In this article, we learned to create AWS Secret and store credentials in it. We saw the steps to delete the secret and cancel the deletion if we change our mind and want to undo the deletion. 

Share this page:

0 Comment(s)