Any suggestions on how to retrieve multiple secrets from sec Serverless Stack #help

Any suggestions on how to retrieve multiple secret...

Ash Rhazaly

03/30/2022, 7:41 AM

Any suggestions on how to retrieve multiple secrets from secrets manager within the API stack? Seems that singular secret retrieval is the only possible option ( I definitely think I'm missing something )

Copy code

Error: There is already a Construct with name 'SecretFromCompleteArn' in ApiStack

Copy code

private getSecrets(ssmString: string): string {
    const secretsManagerArn = StringParameter.valueForStringParameter(this, ssmString);

    const { secretValue } = Secret.fromSecretCompleteArn(
      this,
      "SecretFromCompleteArn",
      secretsManagerArn
    );

    return secretValue.toString();
  }

Copy code

const api = new sst.ApiGatewayV1Api(this, "api", {
      defaultFunctionProps: {
        environment: {
          ...database.environments(),
          CREDENTIALS_ONE: this.getSecrets(ssmString1),
          CREDENTIALS_TWO: this.getSecrets(ssmString2),
          NODE_ENV: stage,
        },
      },

Brinsley

03/30/2022, 9:51 AM

It's because you use a static name:

Copy code

"SecretFromCompleteArn",

Make that value dynamic based on the function param and you should be good.

Brinsley

03/30/2022, 9:52 AM

The reason this happens is because you're creating a new resource every time you call that function but they all use that same id; resources need to have unique ids in the stack.

thdxr

03/30/2022, 1:11 PM

this is one of the reasons I use SSM instead of secrets manager, it has both batch get + prefix scanning

thdxr

03/30/2022, 1:11 PM

also are you looking to pass the ssm arn in the env var? or the actual value

Ash Rhazaly

03/30/2022, 2:44 PM

Makes sense @Brinsley, was an easy fix. @thdxr In this case, since we're storing API credentials, secrets manager made greater sense especially if we're going for PCI compliance

thdxr

03/30/2022, 2:46 PM

SSM provides SecureString which is encrypted in a similiar way to SecretsManager (I've passed PCI compliance before with everything stored in there)

thdxr

03/30/2022, 2:46 PM

just want to verify you're not passing the secrets value through in the environment though

thdxr

03/30/2022, 2:47 PM

eg if you go to aws console, go to the lambda, go to the environment variables section, can you see the secret value in plaintext?

Brinsley

03/30/2022, 2:48 PM

Looking at that second code block the secret value is being passed to the env.

Brinsley

03/30/2022, 2:50 PM

It'll be safer to instead offload the SecretsManager call in to the lambdas themselves, setting the env. vars to be the values you're reading from SSM. I imagine that's what @thdxr was going to say, but with a lot more confidence and all-round knowledge.

Ash Rhazaly

03/30/2022, 2:54 PM

Ah I see the flaw! Thanks for pointing this out 🙏

Ash Rhazaly

03/30/2022, 2:55 PM

@thdxr , curious how did you manage to pass PCI compliance with SSM? My understanding is that there's a necessity to rotate the encryption keys every 90 days and Secrets Manager does this automatically

thdxr

03/30/2022, 2:56 PM

I believe both ssm and secrets manager use KMS for encryption keys

thdxr

03/30/2022, 2:59 PM

Ah KMS only supports yearly rotation. I'm not sure how we got away with that then

Open in Slack

Previous Next