Last week, at the AWS Summit San Francisco, AWS unveiled the new AWS Secrets Manager service. This new service allows you to:
This service enables you to avoid storing database credentials and other secrets in configuration files on your servers. Secrets can be retrieved and used dynamically.
It’s basically doing for any secret what “IAM Roles for EC2 Instances” did for IAM access keys.
But the real power of the AWS Secrets Manager comes from the automated rotation. This allows you to change your passwords every 30 days (for example).
AWS Secrets Manager can basically handle many types of secrets:
Amazon RDS is supported out-of-the-box. For these types of secrets, the following information is retrieved from the service:
The secrets are encrypted using KMS keys. You can use the default
aws/secretsmanager KMS key, or you can create your own KMS key to use.
AWS Secrets Manager can also rotate your secrets on a regular basis. For example, you can have your database password changed every 10 days. This helps keep things very secure.
Secret rotation is handled through Lambda functions. AWS is providing built-in Lambda functions for rotating Amazon RDS passwords. But since the secret rotation is handled by Lambda functions, then any secret can be rotated as long as a Lambda function can be written to do it.
You’ll see us create a Lambda function to rotate Skeddly API access keys in the future.
There are 2 types of secret rotation:
Self rotation is when a secret (database username/password for example) changes itself. This is easy to setup using AWS Secrets Manager. However, using this method, there will be a short period of time when the password being used by the application is no longer valid.
For example, take the following sequence:
In the above case, the database access will fail. If your application is written to handle this case, or you just don’t care, great. Otherwise, there’s the master/user option that you can use.
Using the master/user rotation option, you have two (or more) secrets registered in the AWS Secrets Manager:
When you’re using AWS Secrets Manager for RDS username/passwords, then under this pattern, AWS Secrets Manager will use the “master” secret to:
user, it will create another database user called
This gives high-availability for your secrets because a recently retrieved secret won’t be invalidated immediately after retrieval.
Pricing for AWS Secrets Manager is as follows:
So here’s a pricing example. Suppose you have 2 secrets being stored: a database password and an API key to some third-party service.
Every day, your application makes 1,000 API requests, and 1,000,000 database requests. With this frequency, the monthly cost (assuming 30-day month) would be:
So the total cost would be $150.95
The AWS Secrets Manager could be a fantastic service. It will definitely be a competitor to HashiCorp’s Vault.
Setup of master/user password rotation is a bit cumbersome due to some manual steps, but once setup, it runs pretty smoothly.
I’d like to see AWS add support for RDS read-replicas. I see two possible solutions:
Skeddly is the leading managed scheduling service for your AWS account. Using Skeddly, you can: