AWS Secrets Manager

What is secrets manager

It's a service that securely stores, encrypts and rotates your database credentials and other secrets. It has encryption in transit and at rest, using KMS. So it's always encrypt and it automatically rotates your credentials and you can apply fine grain access controls using IAM policies, I know it’ true, that cost some money BUT it is very highly scalable.

Check Pricing with AWS Pricing Calculator

So what else can secrets manager do ?

When your application makes an API called to secrets manager to retrieve the secret programmatically, it calls for the username and password to your RDS database for example, and this reduces the risk of credentials being compromised, because they're not hard coded into your application. Your application is actually making calls using an API call to secrets manager. 

So what can be stored?

Well we can store RDS credentials, we can install credentials for non RDS databases and basically any other type of secret provided, this also can be stored as a key value pair, think of things like SSH keys for example, or API keys. 

Let's take a real life scenario: 

If you enable rotation Secrets Manager, it immediately rotates the secrets to test the configuration. So if you want to enable rotation, but your application might have something hard coded in, it’s essential to make sure that your applications uses these credentials and are updated to retrieve the credentials from this secret using secrets manager. Very important if your applications is still using embedded credentials do not enable rotation because the embedded credentials will no longer work and this will break your application. It is recommended that you enable rotation for your secrets if your applications are not already using embedded credentials, so they're not going to try and connect to the database using the old credentials.