33.1 Secrets Manager: Storing and Rotating Database Credentials, API Keys, and OAuth Tokens
Alright, let’s talk about Secrets Manager, the service that finally lets you stop committing database passwords to your GitHub repo where they’ll live forever, mocked by Russian bots. This isn’t just a secure locker for your most sensitive data; it’s a full-blown credential management system with a party trick: automatic rotation. It’s for the stuff that would cause a real, “oh we’re on the news” level of disaster if it leaked: database credentials, API keys (especially the ones that cost money), and OAuth tokens.
The first thing you need to get is the difference between a ‘secret’ and a ‘parameter’ (we’ll get to Parameter Store next). A secret in Secrets Manager isn’t just the password itself. It’s an envelope that contains the password and the context needed to use it. We’re talking the full connection string, the username, the database name—the whole kit and caboodle, encrypted as a single, secure blob.
The Anatomy of a Secret
When you create a secret, you’re not just throwing a string over the wall. You’re creating a structured JSON document. AWS forces this structure for database credentials because its rotation lambda (a fancy term for a little function that does the work) needs to know what each part is. For a MySQL database, it looks like this:
{
"engine": "mysql",
"host": "supersecretdb.abc123.us-east-1.rds.amazonaws.com",
"port": 3306,
"dbname": "myApplicationDb",
"username": "admin",
"password": "hG#2kL9!sP0qR"
}
You create this via the CLI, SDK, or console. Here’s how you do it with the AWS CLI for a generic API key:
aws secretsmanager create-secret --name "prod/thirdParty/EmailServiceApiKey" --secret-string "supersecretkey123"
Notice the name: prod/thirdParty/EmailServiceApiKey. Naming is your first line of defense against chaos. Use a hierarchy. environment/service/identifier is a classic and brilliant pattern. You’ll thank yourself later when you have 200 secrets and can actually find the one you need.
Retrieving Secrets in Your Application
This is the whole point. You’re going to delete that hardcoded credential from your config.yml right now. I’ll wait. Instead, your application will ask Secrets Manager for it at runtime. Here’s the programmatic way, using the Python SDK (boto3):
import boto3
import json
from botocore.exceptions import ClientError
def get_secret(secret_name):
client = boto3.client('secretsmanager')
try:
response = client.get_secret_value(SecretId=secret_name)
except ClientError as e:
# Handle errors gracefully, for the love of uptime
if e.response['Error']['Code'] == 'ResourceNotFoundException':
print("The requested secret " + secret_name + " was not found")
elif e.response['Error']['Code'] == 'InvalidRequestException':
print("The request was invalid due to:", e)
elif e.response['Error']['Code'] == 'InvalidParameterException':
print("The parameter was invalid due to:", e)
elif e.response['Error']['Code'] == 'DecryptionFailure':
print("Secrets Manager can't decrypt the protected secret text using the provided KMS key.")
else:
# Something else went wrong. This is where your logging goes.
raise e
else:
# Secret was retrieved successfully
if 'SecretString' in response:
secret = response['SecretString']
return json.loads(secret) # Parse the JSON
else:
# This would be for binary secrets, which is a rarer use case.
decoded_binary_secret = base64.b64decode(response['SecretBinary'])
return decoded_binary_secret
# Usage
secret = get_secret("prod/thirdParty/EmailServiceApiKey")
api_key = secret # In this case, the secret was just a string, not JSON.
Crucial Best Practice: Your EC2 instance, Lambda function, or ECS task must have an IAM policy that grants it permission to secretsmanager:GetSecretValue on that specific secret (or a path like prod/*). The credential to access the credentials now comes from IAM, which is way more manageable. This is the way.
The Magic Trick: Automatic Rotation
This is Secrets Manager’s killer feature. You can set it to automatically rotate a secret on a schedule (like every 30, 60, 90 days). When rotation time comes, AWS fires up a Lambda function that:
- Creates a new secret (e.g., a new database user with a new password).
- Tests the new secret to make sure it works.
- Sets the new secret as the active version in Secrets Manager.
- (Eventually) deletes the old secret.
The beauty is your application never needs to know. It just calls get_secretValue, and it always gets the current, valid credential. No downtime, no frantic redeploys.
The Rough Edge: The rotation lambda isn’t magic. AWS provides templates for common databases (RDS MySQL, PostgreSQL, etc.), but for anything else—a custom API, an on-prem Oracle database, you name it—you have to write that lambda function. This is non-trivial work. You are responsible for the logic that creates the new user, validates it, and updates the service. It’s powerful, but it’s not a one-click solution for the entire world.
Versioning and Staging Labels
Every time a secret is updated or rotated, Secrets Manager creates a new version. The old versions are kept (unless you configure it to delete them). This is your safety net. You can retrieve a specific version if you need to roll back.
Even better, you can use staging labels: AWSCURRENT, AWSPREVIOUS, and AWSPENDING. Your application always fetches AWSCURRENT. During rotation, the new secret is staged as AWSPENDING until the lambda tests it and promotes it to AWSCURRENT. This is how the switch happens atomically. You generally don’t need to mess with this manually, but it’s good to know how the sausage is made.
When Not to Use Secrets Manager
Let’s be direct: it costs money. ~$0.40 per secret per month + $0.05 per 10,000 API calls. For a single secret, that’s fine. For thousands of low-value, frequently-accessed configs? That’s a bill. It’s also slower than a local config file. For non-critical, non-rotating configuration values, there’s a cheaper, faster tool for the job. And that’s our next topic: Parameter Store.