Managing Secrets With AWS Cloud Development Kit (CDK) | by Amanda Quint | Jun, 2022

Utilizing Secrets and techniques Supervisor in your CDK stack

Picture by iMattSmart on Unsplash

I’ve not too long ago been engaged on a private venture the place I’ve determined to make use of and study extra about AWS CDK for the primary time. Total, it’s been a nice studying expertise, however I bumped into some confusion on how finest to retailer and entry some secret info, and this text describes how I solved it.

AWS Cloud Development Kit (CDK) is a framework that enables engineers to outline their infrastructure as code in a well-known programming language as a substitute of getting to handle their infrastructure manually or writing uncooked CloudFormation.

In my venture, I’m utilizing CDK in TypeScript, nevertheless it’s additionally obtainable in different languages like Python and Java. Writing CloudFormation has all the time felt tedious and verbose to me, and I’m having fun with utilizing CDK as a substitute.

For the aim of this instance, I’ve a Lambda (that runs a Python software) that wants a secret token.

My Lambda perform requires a secret token to run.

I may hardcode my secret right here however, that may be a dangerous thought. Relying on the place I’m committing this code, I may by accident share info that will give different customers the power to entry my account or to take actions as my app. Exhausting coding them right here would additionally lead to them being seen within the CloudFormation and to whoever has entry to it within the console.

Secrets and techniques ought to be secret!

I may additionally go away my SECRET_TOKEN set to a dummy worth and set the actual worth within the console after I deploy my Lambda — Lambda does encrypt surroundings variables — however this could nonetheless enable anybody with entry to examine the Lamba to see the plain textual content secret.

For some secrets and techniques, this technique should still be too lax. Moreover, throughout growth, my Lambda is getting rebuilt typically and this shortly turns into a tedious additional step.

So as to resolve my subject, I made a decision to make use of AWS Secrets Manager to retailer my secrets and techniques. Secrets and techniques in Secrets and techniques Supervisor are $.40/month, however secrets and techniques could be a JSON blob with a number of key/worth pairs — so you possibly can retailer a number of associated values in a single secret.


I didn’t foresee this infrastructure altering a lot, so I began a brand new separate stack MySecretStack to jot down the CDK for Secrets and techniques Supervisor in. It solely consists of an empty Secret environmentSecrets and a CfnOutput — which is a Assemble that can be utilized to output a worth from the stack. On this case, we’re exporting the key’s ARN.

The CDK for my Secret and the export for its ARN.

My Lambda now must know learn how to reference this Secret, so as a substitute of passing SECRET_VALUE to my surroundings variables, I handed the ARN of the Secret from the opposite stack. Be aware that I additionally want so as to add an IAM coverage that enables that Secret to be learn, and I have to assign that Coverage to my Lambda’s execution position.

The Lambda now references the Secret’s ARN, and has the permissions to get that Secret’s worth.

Deploying a number of stacks

After this, I wanted to deploy each stacks within the CDK app. I additionally made my coreStack (the one containing the Lambda), depending on the secretStack to make sure that the Secret Arn can be obtainable when it was wanted.

The coreStack relies on the output of secretStack.

After this, it’s time to deploy!

In Secrets and techniques supervisor

As soon as efficiently deployed, I wanted to register to the AWS Secrets and techniques Supervisor console to enter my secrets and techniques manually. That is an additional step, nevertheless it isn’t one which I ought to need to do typically because the SecretStack received’t want to alter until I would like so as to add further Secrets and techniques. That is a lot much less tedious than having to enter SECRET_VALUE each time I redeployed the Lambda.

Additionally, if I’ve secrets and techniques that must be rotated on some form of schedule, Secrets and techniques Supervisor can outline rotation handlers to mechanically deal with that.

Including a brand new Key/worth pair containing my authentic SECRET_VALUE.

Resolving the Secrets and techniques in my Lambda Operate

The stack is deployed, and the key worth is saved in Secrets and techniques Supervisor, however I wanted one further step to make use of these secrets and techniques. In my precise Lambda Python software code, I wanted to entry the Secret.

I used boto3 to entry Secrets and techniques Supervisor and set the surroundings variables from the important thing/worth pairs saved within the Secret. There may be additionally a option to fetch secrets and techniques utilizing Lambda Powertools, which I’ll change over to utilizing as a substitute.

Please be aware that retrieving the key this manner does incur a barely additional price, as you pay for requests to Secrets and techniques Supervisor ($.05 per 10,000 API calls), nevertheless, on the scale that I’m at the moment utilizing the app, that is negligible.

Setting an surroundings variable from the worth saved inside Secrets and techniques Supervisor.

Why not resolve the Secret instantly in CDK?

As a substitute of resolving the secrets and techniques within the software code, I may have resolved it instantly through CDK utilizing the SecretValue construct. Utilizing dynamic references can be marginally cheaper, resulting from Secrets and techniques Supervisor’s price to retrieve secrets and techniques, however there are some additional considerations to bear in mind — and the SecretValue assemble itself recommends resolving secrets and techniques wanted in Lambda capabilities instantly within the code.

More Posts