How to update secret values of secret manger in CDK? - aws-cdk

My secret manager is created with credential of RDS in CDK, with DatabaseCluster and credential param in it. Now i want to update some value in that secretmanager.
How can i update secret value of secret manager in CDK?

There isn't a great way to do this, and that's by design. Anything you put in the CDK has to be in your CFN template, and then it's no longer secret.
You'll need to find a process outside of the CDK and CFN to update those values.

The problem is, if you inject the secret as a string in your CDK code, it will show up in the complied CloudFormation output.
There are a hot debate about this topic here
I solve this problem by update the secret by AWS CLI
aws secretsmanager put-secret-value --secret-id your_secret_arn --secret-string your_secret

Related

accessing secret from google secret manager

I put a serviceAccount.json in google secret manager, and I want to build am api service by Fastapi, a python web framework.
I mounted secret as a disk ,I want to read it from my file,but it reply no such file....plz anyone help me?
Never store JSON service account keys in Google Secret Manager. If your workload is running in Cloud Run, you should use the service identity to grant permissions https://cloud.google.com/run/docs/securing/service-identity.

How to access the secrets, keys from azure keyvault in app-configmap.yaml file

I have created AKS based application deployment where all the environment variables of application are defined in app-configmap.yaml file. This file is refered in deployment.yaml file.
I would like to store all the credentials those are mentioned in app-configmap.yaml file as environment variable into secrets in keyvault and finally from keyvault , it will be refered in app-configmap.yaml file.
I need help to understand it step by step by which I can implement it
In general I would not recommend to use secrets as environment variables or with configmaps.
With the AZURE KEY VAULT PROVIDER FOR SECRETS STORE CSI DRIVER you should use the secrets as file mounts inside the pod that really needs the secret. With this you can also rotate secrets on-demand or sync own TLS certs etc.
Pro is you dont need AAD-Pod-Identity bcs the CSI handles auth on its own.

Access KeyVault from Azure Container Instance deployed in VNET

Azure Container Instance is deployed in VNET and I want to store my keys and other sensitive variables in Key Vault and somehow access to it. I found in documentation, it's currently limitation to use managed identities once ACI is in VNET.
Is there another way to bypass this identities and to use Key Vault?
I'm trying to avoid environment variables and secret volumes, because this container will be scheduled to run every day, which means there will be some script with access to all secrets and I don't want to expose them in script.
to access the Azure Key Vault you will need to have access to a Token, are you ok storing this token into a k8s secret ?
If you are, then any SKD or CURL command could be use to leverage the Rest API of the Key Vault to retrieve the secret at run time : https://learn.microsoft.com/en-us/rest/api/keyvault/
If you don't want to use secret/volumes to store the token for AKV it would be best to bake in your token in your container Image and maybe rebuild your image everyday with a new token that you could manage its access I AKS at the same time within your CI process

docker secrets and refresh tokens

I'm looking for a way to use docker secrets and for all case where I don't need to update the stored value of the secret that would be a perfect situation but my app is having multiple services which are having 3 legged OAuth authorization. After successfully obtaining all tokens a script is collecting all tokens then creating secrets out of them and executing the config of my docker.compose.yml file with the container using those secrets. The problem is when the tokens have to be refreshed and stored again as secrets. Docker secrets does not allow updating the secrets. What would be the possible workaround or better approach?
You do not update a secret or config in place. They are immutable. Instead, include a version number in your secret name. When you need to change the secret, create a new one with a new name, and then update your service with the new secret version. This will trigger a rolling update of your service.

Dropwizard and Hashicorp Vault

I'm wondering if anyone has experience using Dropwizard and Vault together? I'm looking for a solution where I can keep my DB and other passwords in Vault instead of the dropwizard .yaml configuration. I'd also like to be able to start my service up and be prompted for the Vault key and not place any secrets in any config files. Any help is greatly appreciated.

Resources