Skip to main content

Package to create a SecretsManager's secret with auto rotation.

Project description

AWS Secret Cdk

A library to create and provision secrets by AWS SecretsManager. This library makes it easy to create secrets with secret rotation.

Remarks

The project is written by Laimonas Sutkus and is owned by iDenfy. This is an open source library intended to be used by anyone. iDenfy aims to share its knowledge and educate market for better and more secure IT infrastructure.

Related technology

This project utilizes the following technology:

  • AWS (Amazon Web Services).
  • AWS CDK (Amazon Web Services Cloud Development Kit).
  • AWS CloudFormation.
  • AWS SecretsManager.

Assumptions

This library project assumes the following:

  • You have knowledge in AWS (Amazon Web Services).
  • You have knowledge in AWS CloudFormation and AWS SecretsManager.
  • You are managing your infrastructure with AWS CDK.
  • You are writing AWS CDK templates with a python language.

Install

The project is built and uploaded to PyPi. Install it by using pip.

pip install aws-secret-cdk

Or directly install it through source.

./build.sh -ic

Description

SecretsManager is a great AWS service to manage your secrets e.g. database password. It is really easy to create and configure a secret through AWS console (UI). However it is notoriously difficult to create and manage secrets through CloudFormation. You need to create a lambda function, which executes secret rotation, ensure correct lambda function permissions and security groups, correctly configure secrets themselves with correct templates, etc. This library tackles this problem. In a nutshell, you just provide a database, for which the secret should be applied, and some other params. And that's it! You're good to go.

One big note - this library can be used on existing databases.

Examples

Here are the examples on how to use this library with various scenarios.

RDS (MySql and Aurora MySql compatible) Single user rotation

To create a SecretsManager Secret for an RDS database with 30 days rotation, create a Secret instance.

from aws_cdk.core import Stack
from aws_cdk.aws_ec2 import Vpc
from aws_cdk import aws_rds
from aws_secret_cdk.vpc_parameters import VPCParameters
from aws_secret_cdk.aurora_mysql_single_user.secret import Secret

class MyStack(Stack):
    def __init__(self, **kwargs):
        super().__init__(**kwargs)

        # Suppose you have defined a VPC.
        self.vpc = Vpc(**kwargs)

        # Suppose you have a database (or a cluster).
        self.database = aws_rds.CfnDBCluster(**kwargs)

        # Now simply create a secret with 30 day rotation.
        self.rds_secret = Secret(
            stack=self,
            prefix='MyResourcesPrefix',
            vpc_parameters=VPCParameters(
                rotation_lambda_vpc=self.vpc,
                rotation_lambda_security_groups=[
                    # Your SG's.
                ],
                # NOTE! Ensure that your private subnets have a NAT gateway
                # or have a VPC endpoint in order to reach SecretsManager
                # API which is outside your own VPC.
                rotation_lambda_subnets=self.vpc.private_subnets
            ),
            database=self.database
        )

And that's pretty much it. From now own your database password will be stored in a SecretsManager and will be roted every 30 days.

Using the new secret

In order to retrieve the secret, use this sample code below.

# Use this code snippet in your app.
# If you need more information about configurations or implementing the sample code, visit the AWS docs:   
# https://aws.amazon.com/developers/getting-started/python/

import boto3
import base64
from botocore.exceptions import ClientError


def get_secret():

    secret_name = "test"
    region_name = "eu-west-1"

    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name
    )

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name
        )
    except ClientError as e:
        # Some error happened here. Log it / handle it / raise it.
        raise e
    else:
        if 'SecretString' in get_secret_value_response:
            secret = get_secret_value_response['SecretString']
        else:
            secret = base64.b64decode(get_secret_value_response['SecretBinary'])

        return secret

Release history

5.1.0

Force update to CDK 1.44.0.

5.0.0

Restructure project having in mind that different types of rotations are possible e.g. DynamoDB secret rotation, or RDS multi user secret rotation. Narrowed down the permissions required for rotation. With this version an aws-secret-cdk package is fully functional and available to be used.

4.0.0

Do not enforce KMS CMKs. Use assets to deploy lambda function source code instead of S3 buckets. Use better prefixes. Refactor lambda function source code to support initial passwords on existing databases. Warning: loosened permissions. Next commit should fix them.

3.0.1

Update README.

3.0.0

Shorten lambda bucket name.

2.0.3

Consistent naming.

2.0.2

Add docstrings.

2.0.1

Fix target types and target arns.

2.0.0

General bug fixes. Add permission for KMS key resource. Add secret template.

1.0.9

Add secrets manager as a valid principal to invoke rotation lambda.

1.0.8

Add S3 removal policy.

1.0.7

Don't use managed policies.

1.0.6

Aws Lambda dependency update.

1.0.5

Aws Lambda dependency update.

1.0.4

Dont create Code class instance.

1.0.3

Move packages into main package.

1.0.2

Fix manifest file.

1.0.1

Ensure bucket and bucket deployment has different names.

1.0.0

Initial commit. Add ability to create RDS secret and rotate it every 30 days.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_secret_cdk-5.1.0.tar.gz (65.1 kB view details)

Uploaded Source

Built Distribution

aws_secret_cdk-5.1.0-py3-none-any.whl (73.0 kB view details)

Uploaded Python 3

File details

Details for the file aws_secret_cdk-5.1.0.tar.gz.

File metadata

  • Download URL: aws_secret_cdk-5.1.0.tar.gz
  • Upload date:
  • Size: 65.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.15.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.6.0 requests-toolbelt/0.9.1 tqdm/4.37.0 CPython/2.7.17

File hashes

Hashes for aws_secret_cdk-5.1.0.tar.gz
Algorithm Hash digest
SHA256 babf9cd2def8991ff4f54185b44d26153b0854e69730354a7e8e4e0e6f3c5cc0
MD5 352b038b7e948ce78ed8f1b8ca67ec0f
BLAKE2b-256 59533c066474831e81758b1daa20eeb217d4658eff85f35cf2cf100181e6561a

See more details on using hashes here.

File details

Details for the file aws_secret_cdk-5.1.0-py3-none-any.whl.

File metadata

  • Download URL: aws_secret_cdk-5.1.0-py3-none-any.whl
  • Upload date:
  • Size: 73.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.15.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.6.0 requests-toolbelt/0.9.1 tqdm/4.37.0 CPython/2.7.17

File hashes

Hashes for aws_secret_cdk-5.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9d93b431345e134522ff30e9f75f4743fd4634fa7b41bb19357b20e828cb1244
MD5 f34e1e862feda1ddd2e5df4a5db083f6
BLAKE2b-256 ff6cf62796513bec9dac08157f6583ad87ee0872754ca3445b004abeff5a7a44

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page