Managing sensitive information, such as database credentials, API keys, and other secrets, is crucial for maintaining the security and integrity of your applications. AWS Secrets Manager simplifies storing, retrieving, and managing secrets, especially for applications running in containerized environments like AWS Fargate. This guide will explore how to retrieve Secrets Manager credentials from containers running on AWS Fargate.

Why Use AWS Secrets Manager?

AWS Secrets Manager offers several benefits:

  • Automated Secrets Rotation: Automatically rotate secrets without disrupting your applications.
  • Secure Access: Store and manage secrets securely, leveraging AWS’s robust security infrastructure.
  • Centralized Management: Manage all your secrets in one place, simplifying auditing and compliance efforts.

Prerequisites

Before you begin, ensure you have the following:

  • An AWS account with appropriate permissions to use AWS Secrets Manager, AWS Fargate, and IAM.
  • AWS CLI installed and configured on your local machine.
  • Docker installed on your local machine.

Step-by-Step Guide

1. Create a Secret in AWS Secrets Manager

  1. Open the AWS Management Console and navigate to Secrets Manager.
  2. Click on Store a new secret.
  3. Select the Credentials for RDS database or Other types of secrets option.
  4. Enter the secret details (e.g., username and password).
  5. Click Next and follow the prompts to name your secret and configure rotation (if needed).
  6. Note down the ARN of the secret, as you will need it later.

2. Set Up IAM Roles and Policies

  1. Create an IAM Policy:
    • Navigate to the IAM console.

Create a new policy with the following JSON, replacing your-secret-arn with the ARN of your secret:

{

  “Version”: “2012-10-17”,

  “Statement”: [

    {

      “Effect”: “Allow”,

      “Action”: [

        “secretsmanager:GetSecretValue”

      ],

      “Resource”: “your-secret-arn”

    }

  ]

}

  • Name the policy and save it.
  1. Create an IAM Role:
    • Create a new IAM role for your ECS task.
    • Attach the policy you created earlier to this role.

3. Configure Your Fargate Task

  1. Create a New Task Definition:
    • Navigate to the ECS console and create a new task definition for Fargate.
    • Under Task role, select the IAM role you created earlier.
    • Add your container definitions, specifying the necessary environment variables.
  2. Add Secrets Configuration:

In the Environment section of your container definition, specify the secrets using the Secrets configuration. For example:

{

  “name”: “DB_PASSWORD”,

  “valueFrom”: “arn:aws:secretsmanager:region:account-id:secret:secret-name”

}

4. Retrieve Secrets in Your Application

Your application code inside the Fargate container can retrieve the secrets using the environment variables. Here is a sample Python code snippet to access the secret:

import os

import boto3

def get_secret():

    secret_name = os.getenv(‘DB_PASSWORD’)

    region_name = “your-region”

    # Create a Secrets Manager client

    session = boto3.session.Session()

    client = session.client(

        service_name=’secretsmanager’,

        region_name=region_name

    )

    try:

        get_secret_value_response = client.get_secret_value(

            SecretId=secret_name

        )

        secret = get_secret_value_response[‘SecretString’]

        return secret

    except Exception as e:

        print(f”Error retrieving secret: {e}”)

        raise e

db_password = get_secret()

Conclusion

Using AWS Secrets Manager with AWS Fargate provides a secure and efficient way to manage and retrieve secrets for your containerized applications. By following the steps outlined in this guide, you can enhance the security of your applications and ensure that sensitive information is handled properly.