AWS Secrets Manager: Tutorial & Best Practices
AWS Secrets Manager vs KMS: Differences & Synergies
AWS Secrets Manager vs. Parameter Store: Features, Cost & More
AWS CLI Secrets Manager: In-Depth Tutorial With Examples
AWS Secrets Manager with Terraform: Tutorial & Examples
AWS KMS Key Rotation: Tutorial & Best Practices
AWS Secrets Manager for Kubernetes: Tutorial & Best Practices
AWS Secrets Manager Alternatives: A Comprehensive Analysis
AWS Lambda Secrets Manager Best Practices
AWS Vault: Tutorial, Best Practices & Limitations
AWS CDK Secrets Manager Tutorial & Best Practices
SSM Parameter Store: Tutorial & Best Practices
Secrets management is a vital part of building robust cloud applications as it helps improve your applications' security by keeping sensitive information safe. AWS Secrets Manager is a popular tool for securing sensitive data such as API keys, tokens, database credentials, and passwords. With secret rotation, access control, and optional auditing capabilities, AWS Secrets Manager can help manage secrets throughout their lifecycle.
This article demonstrates how you can leverage Secrets Manager with AWS Cloud Development Kit (CDK), an open-source software development framework, to model and provision your AWS infrastructure as code. We will detail how to use AWS CDK to provision and reference secrets in Secrets Manager. We will also review other AWS CDK secrets manager options, like Parameter Store, and how integration with third-party tools can help improve secret AWS CDK secrets manager workflows.
The table below summarizes the key concepts that will be covered in this article.
AWS CDK provides construct libraries for handling secrets and parameters using Secrets Manager and Parameter Store. Let’s take a quick look at the common use cases for secrets and parameters in a CDK project.
Some of the commonly used secrets in CDK projects are:
Some of the common parameters used along with CDK are:
Now that we’ve gone through the common secrets and parameters used in CDK, let’s learn how we can use CDK to provision and retrieve these secrets in your project.
We will use the TypeScript CDK construct libraries to provision Secret Manager and SSM Parameter Store resources.
To provision Secret Manager using AWS CDK, you must include the aws-cdk-lib/aws-secretsmanager module in your CDK project.
The following example demonstrates how to create a Secret Manager secret for database credentials.
To create a Secret Manager store with a custom KMS encryption key, use the following code:
To create a Secret Manager store for use cases such as API keys, use the following code:
For the purpose of this article, let’s look at how we can inject the new Secret Manager value into a Lambda function:
Note that for security purposes, it is recommended to retrieve the secret at Lambda runtime logic to avoid exposing the secret in the CloudFormation template. For this, pass the secret ARN as an environment variable to the lambda function instead of passing the secret value directly.
To retrieve an existing Secret Manager secret in your CDK project using the Secret Manager ARN, use the following code:
To provision Parameter Store with the AWS CDK, include the aws-cdk-lib/aws-ssm module in your CDK project.
The following example demonstrates how you can create an SSM Parameter Store:
To inject a Parameter Store value into a Lambda function, use the following code:
Similar to the Secrets Manager example mentioned above, using this method is not recommended for security reasons as it can expose the secret value. Instead, pass the secret ARN as an environment variable to the lambda function so that you can fetch the secret during runtime.
To learn more about which secret management solution suits your use case and to understand the difference between them, follow this detailed AWS guide by Doppler.
AWS CDK faces the following limitations when it comes to secret management using Secrets Manager and Parameter Store in CDK projects:
Doppler is a third-party secrets management tool that can integrate with AWS CDK and address the limitations mentioned above. Doppler provides a user-friendly platform for managing secrets, configurations, and credentials. It can enhance the CDK development experience in the following ways:
While AWS CDK can lay the foundation for infrastructure as code in your projects, it’s essential to acknowledge the limitations within CDK when it comes to handling secrets effectively. Challenges such as dependency management between CDK projects, external secret rotation, limited support for secret types, and the absence of built-in auditing and logging capabilities can introduce complexities and hinder a seamless development experience. Integrating Doppler with AWS CDK can significantly enhance the secrets management experience in your projects. Developers can mitigate these limitations by leveraging Doppler’s more efficient, secure, and agile solution for managing secrets and configurations in their AWS environments.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.