Using AWS CLI Secrets Manager to Manage Confidential Info

Published:26 July 2022 - 7 min. read

Are you saving your passwords in the text files, configuration files, or deployment files while deploying applications in the Amazon AWS cloud? If yes, you’re putting your secrets at risk. Luckily, the AWS CLI Secrets Manager keeps off attackers from getting exposed to your passwords.

The AWS CLI Secrets Manager solves all your security concerns, encrypts all your stored passwords, and decrypts only while retrieving them. In this tutorial, you’ll learn how to protect sensitive information from prying eyes.

Ready? Read on and keep your secrets, well, a secret!

Prerequisites

This tutorial will be a step-by-step demonstration. If you’d like to follow along, be sure you have the following in place:

  • A Windows machine – This tutorial uses Windows 10, but later versions will also work.

Ensure the IAM user has programmatic access and that you assign the user to the existing policy of AmazonIAMFullAccess.

  • AWS CLI installed on your Windows machine.
  • An AWS RDS Microsoft SQL server database instance.

Configuring AWS CLI with AWS Credentials

AWS CLI is a command-line tool that allows you to work with AWS APIs to manage and provision the AWS services. But before you run any commands using AWS CLI, you must first configure AWS CLI with AWS credentials. Doing so allows you to connect to the AWS account and execute commands.

To configure your AWS credentials on AWS CLI:

1. Open command prompt as administrator, and run the following commands to configure AWS credentials (aws configure).

cd C:\Users   # Change the working directory to C:\Users
aws configure # Configure AWS credentials

Enter the AWS IAM user details, such as AWS Access Key ID, Secret Access Key, and region. You can skip the output format as default, text, or json.

Configuring the AWS CLI
Configuring the AWS CLI

2. Next, open File Explorer, navigate to the C:\Users\%USERNAME%\.aws directory, and verify if the credentials and config files are present.

Checking the credentials and config files exist
Checking the credentials and config files exist

3. Open the credentials and config files. You’ll notice the credentials you specified in step one are successfully stored in both.

Viewing the credentials file’s content
Viewing the credentials file’s content
Viewing the config file’s content
Viewing the config file’s content

4. Finally, run the following commands to test if your AWS credentials are working.

The command uses your AWS credentials to authenticate to the AWS account and retrieves the lists of all instances.

# Change directory, one level up (C:\Users\%USERNAME%).
cd ..
# Retreive the lists of all instances.
aws ec2 describe-instances

Notice that when you execute the command, you’ll connect to AWS resources using AWS APIs.

Testing if the AWS credentials work
Testing if the AWS credentials work

Creating Secrets via the AWS CLI

You’ve successfully verified your AWS CLI configuration and AWS credentials work correctly, and now you’re ready your create your secrets. You’ll use these secrets to connect to a database in the latter part of this tutorial.

Create a file called creds.json on your Desktop, and copy/paste the below configuration that contains database details, which you’ll later store as secrets.

{
      "username": "admin",
      "password": "password",
      "engine": "sqlserver"
      "host": "database-3.cgph34pcibdl.us-east-1.rds.amazonaws.com"
      "port": "1433"
      "dbInstanceIdentifier": "database-3"
}

Next, run the below command to perform the following:

  • Change the working directory (cd) to your Desktop directory.
  • Create an AWS secret (create-secret) named MySecret_DB against the creds.json file.
# Change working directory to Desktop
cd Desktop
# Create an AWS secret
aws secretsmanager create-secret --name mySecret_DB --secret-string file://creds.json

The below output contains the secret’s ARN, Name, and VersionId.

Creating an AWS secret in the AWS account
Creating an AWS secret in the AWS account

You can update secrets as many times you wish by running the following command, where –secret-id specifies the secret’s ARN or name: aws secrets manager update-secret –secret-id ARN_OR_NAME \ –secret-string “NewValue”

Verifying the AWS Secrets via the AWS Management Console

You’ve just created your secrets with AWS CLI, and that’s a huge step. But how do you know your secrets exist in your AWS cloud? Verify your AWS secrets by manually checking in the AWS Management Console.

1. Open your favorite web browser and log in to the AWS Management Console.

2. Search for secretes on the console’s home page, and choose Secrets Manager from the result. Doing so redirects your browser to the page where you can see and manage your AWS Secrets Manager (step three).

Accessing the AWS Secrets Manager service
Accessing the AWS Secrets Manager service

3. Lastly, click on your secret from the list below to access your secrets’ information.

Viewing the secrets in AWS Secrets Manager
Viewing the secrets in AWS Secrets Manager

You’ll see the below page describing all the secret’s details, such as the Name, ARN, value ( Key/Value), and so on.

Checking the details of the AWS secret
Checking the details of the AWS secret

Authenticating AWS RDS DB Instance with the AWS CLI Secrets Manager

Even though you’ve successfully verified your secrets, they’re just sitting in the AWS Secrets Manager service. Why not learn to retrieve them and perform authentication with the AWS RDS service?

To authenticate with the AWS RDS DB instance using AWS Secrets Manager:

1. Open the AWS Schema Conversion Tool (AWS VPN Client) from your Desktop or Start menu.

Opening the AWS Schema Conversion Tool
Opening the AWS Schema Conversion Tool

2. Next, click on File —> New Project to create a project.

Creating a new Project in the AWS Schema Conversion Tool
Creating a new Project in the AWS Schema Conversion Tool

3. Enter a Project name (ATA_Project) and the location where you wish to store the project, and click OK to create the project.

After creating the project, you’ll see the project name (ATA_Project) at the top of the window (step four).

Providing project name and location
Providing project name and location

4. Now, click Settings —> Global settings to open the Global settings window where you can add your AWS profile (step five).

Adding a global setting
Adding a global setting

5. On the Global settings window, click on Add a new AWS service profile to initiate adding a new AWS service profile.

Initiating adding an AWS profile in the AWS Schema Conversion Tool
Initiating adding an AWS profile in the AWS Schema Conversion Tool

6. Next, enter details for the new AWS service profile:

  • Profile name – Set a unique profile name, but this tutorial’s choice is NewProfile 1.
  • AWS access key and secret key – Input the AWS access and secret keys in step one of the “Configuring AWS CLI with AWS Credentials” section.
  • Region – Set the region where you’d like to authenticate and connect to the AWS service.
  • Click OK to create the new AWS service profile.
Creating a new AWS service profile
Creating a new AWS service profile

7. After creating an AWS service profile, click on the Add source from the toolbar to see the list of databases you can connect to (step eight).

Initiating adding a database source
Initiating adding a database source

8. Select the Microsoft SQL Server option, and click Next to configure your database source connection.

Selecting Microsoft SQL Server as the database source
Selecting Microsoft SQL Server as the database source

9. Provide the following details for connecting to the Microsoft SQL Server:

  • Connection name – Input a connection name you like, but this tutorial uses DB_AWS_secrets_connection.’
  • AWS Secret – Select your AWS secret (mySecret_DB), and click Populate. You’ll notice the AWS secrets you created in the AWS secrets manager are automatically populated in the required fields.
Test Connection
Test Connection

10. Now, click on Test connection to verify if the secrets are correct and can connect to the database created. Doing so tests whether the AWS Schema Conversation Tool can authenticate the AWS account and services.

Testing database connection
Testing database connection

11. Finally, click on Connect (bottom-right) to connect to the database.

Connecting to the AWS RDS database using AWS Secrets Manager
Connecting to the AWS RDS database using AWS Secrets Manager

Once connected, you’ll see all database details, such as engine version, connection details, etc., as shown below.

Overviewing database details
Overviewing database details

Conclusion

Managing your AWS secrets comes in various ways, such as directly using the AWS console or Terraform. But in this tutorial, you’ve learned how to store AWS secrets using the AWS CLI with a single command. Ultimately, you connected to your database using AWS secrets with the AWS Conversion Schema Tool.

You’re now equipped with the knowledge of keeping your secrets safe from prying eyes. What do you plan to store next in AWS secrets using the AWS CLI?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!