How and where do you store your secrets? Well, I am not talking about your personal secrets 🙂 , but here secrets mean your application credentials such as database passwords, account information or any other unencrypted data that you want to store securely.
Problem :
- Credentials should be kept in an encrypted and secure manner such that they are not exposed to the external world.
- Managing encrypted key generation and moving the credentials to a secure place should be easy and also maintainable.
What is AWS KMS ?
AWS Key Management Service is a managed service which helps you create and manage encryption keys for your application. Good part is, it integrates well with other AWS services like S3, EBS, RDS, Lambda etc. It also provides you a centralised access to your keys which makes it very manageable.
Find more details here.
Prerequisite :
- You should already have an AWS account.
- Install awscli on your machine.
How to use AWS KMS to manage credentials :
Create your keys in AWS:
- Login to AWS console.
- Go to IAM -> Encryption Keys
- Select the region you want your keys to be stored in.
- Once you do that, click on Create Keys which will start the process of creating your keys. These are just resources in KMS which will securely store your secrets and let you manage them.
- Provide a good name and a brief description for your key. ex : database_credentials
- Add tags to your keys. These are optional, but can be helpful when you want to organise your keys.
- Move to Next Steps. At this point you have to configure IAM roles and users which can access your keys.
- Once you go to the next steps, it shows you the policy document. Review the document and click Finish to complete the process.
- Your key is created.
Generate encrypted version of your secret using AWS cli:
Run below command from command line. (make sure you first login into your AWS account from command line)
aws kms encrypt --key-id alias/<KEY_NAME_YOU_CREATED> --plaintext <SECRET_VALUE>
Above command will give you a response consisting a keyId and a CipherText.
Copy the cipherText and use it in your application properties or cloud formation template prefixed with “aws:kms:” as an environment variable.
For ex: If the cipher text generated for your mongodb_password is “CkaS91sjlaAAoeQjqwl=qASkwjklqw”, then your environment variable will look like
MONGODB_PASSWORD: “aws:kms:CkaS91sjlaAAoeQjqwl=qASkwjklqw”
To verify if the cipher you added to your properties is correct. you can decrypt the key and verify if it is correct.
echo -n "<CIPHER>" | base64 -D > /tmp/myKey cd /tmp aws kms decrypt --ciphertext-blob fileb://myKey --query Plaintext --output text | base64 -D
More details can be found here.
Hope you find it useful. Please share your feedback and other ways you store your secrets. This time I am talking about the personal ones 🙂 .
Thanks,
Kaivalya Apte
