https://serverless-stack.com/ logo
Join Slack
Powered by
Hey everyone. I would like to know how you handle ...
# help
p
Hey everyone. I would like to know how you handle this kind of scenario: I have some external-provided sensitive data (e.g. Facebook client id and secret, or an API key for an external service) and wanna store it in secrets manager. The point is that I was unable to create a secret with a value by using CDK. For now, I created the secrets with the generated value and replaced the values manually after the creation, but didn't like that. So perhaps the way I'm trying to handle this case is wrong or doesn't make sense. Any ideas?
Can't you just encrypt the data "at rest" in dynamo or s3 with an encryption key stored in secrets manager?
@Stoyan Georgiev replying here to not pollute the main thread. I think I could, but it also doesn't sound like the best approach. I mean secrets manager are supposed to be used for that, isn't it? Using S3 or dynamoDB to store the data seems hacky, but maybe it's the only way. I don't know
p
I don't think I understand. What's not working? Reading the value from SSM or storing it in SSM using CDK? I use SSM, but I don't write to SSM using CDK, I do it separately, using a small script that basically is just a wrapper around the CLI:
Copy code
aws ssm --region ${region} put-parameter --overwrite --cli-input-json '{"Name": "/myapp/${stage}${secret[0]}", "Value": "${secret[1]}", "Type": "String"}'
s
I do write to and read from SSM both with CDK and SDK. In CDK I use StringParameter construct.
p
Could you share a snippet @Stoyan Georgiev? Might be helpful for @Paulo
p
Hmm... so probably I should use SSM instead of SecretsManager for my use case. P.S. I found this issue, so apparently, they removed the support of 
SecretString
from SecretsManager in CDK Thanks!
s
@Paulo IMO it's best to create a key using AWS KMS and use it to encrypt your data. Look for some articles/blog posts.
p
Will do. Thanks, @Stoyan Georgiev!
r
If you create a KMS key, you can select it to encrypt the parameter in parameter store. Then, when you want retrieve that parameter it’s a simple case of
Copy code
const params = {
        Name: paramName,
        WithDecryption: true,
      };
      return await ssm.getParameter(params).promise();
You just need to make sure that your lambda role has access to the parameter and to the key for decrypt
p
Was looking at the SSM CDK docs and it says that:
You can create either 
ssm.StringParameter
 or `ssm.StringListParameter`s in a CDK app. These are public (not secret) values. Parameters of type SecretString cannot be created directly from a CDK application; if you want to provision secrets automatically, use Secrets Manager Secrets (see the 
@aws-cdk/aws-secretsmanager
 package).
From what I understood they don't allow to create secret values in CDK (for both SSM or SecretsManager) for security reasons, to avoid some leaking in stack creation logs or somewhere else. Based on that, I think @Pål Brattberg's strategy of having a separate script sounds like a good way to handle it. I will try to do the following: • script to create/edit the secrets before running sst build • in my cdk stack I import the secrets and export the ARNs • in my lambdas I use the secret ARN to get the value sounds sane?
Open in Slack
PreviousNext
Powered by