“Challenges faced to find the solution of how to secure the database credentials”. I have checked different ways so that I can give the security to users' credentials such as the database username and password. I got the solution to enable the IAM database authentication option in RDS but due to some limitations of IAM database authentication and requirement from client side to secure their users existing credentials. The option of choosing the IAM database authentication is not a good fit for my scenario. So I have checked the service in AWS as AWS Secret Manager which helps to store and rotate the database credentials in terms of username and password not as authentication token. And it's a good fit for my current scenario. So I have just configured a secret manager to store and even rotate the credentials of the database depending on the defined days. This is really a good option as in terms of cost optimization and security purpose.
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hard code sensitive information in plain text.
Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.
In this post, you will get to know how to store database credentials for a RDS database using AWS Secrets Manager. Here I have used a WORD PRESS application server that requires database credentials to access the MySQL database.
Prerequisites
You’ll need an Amazon EC2 Server for this post. Getting started with amazon EC2 provides instructions on how to launch an EC2 Server.
You’ll also need AWS Command Line Interface (AWS CLI) installed and configured on your machine. For this blog, I assume that the default AWS CLI region is set to N. Virginia (us-east-1) and that you have access to the AWS services described in this post. If you use other regions, you should check the availability of AWS services in those regions.
Architecture Overview
The architecture diagram shows the overall deployment architecture with data flow, application server, Mysql DB instance, AWS CLI and AWS secrets manager.
Solution overview
The blog post consists of the following phases:
- Store a secret in Secrets Manager
- Update an application to retrieve secret from Secrets Manager
- Enable Rotation for your secret
Phase 1: Store a secret in Secrets Manager
- Open the Secrets Manager Console and select Store a new secret.
- Select Credentials for RDS database and Give Username and password of RDS which will make a secret and choose the default encryption key.
- Select the DB instance mysql-rds-database, and then select Next.
- Give Secret name and description.
- Choose default disable automatic rotation option.
- Review all configurations and can change if you want.
- Secret application successfully created.
- Can check the auto-generated sample code with different languages.
Phase 2: Update an application to retrieve secret from Secrets Manager
Update the application to retrieve the database credential from Secrets Manager
Connect to EC2 instance.
Add this code to the application to retrieve credentials.
// Use the code snippet provided by Secrets Manager.
import boto3
from botocore.exceptions import ClientError
def get_secret():
// Define the secret you want to retrieve
secret_name = “Applications/MyApp/MySQL-RDS-Database”
// Define the Secrets mManager end-point your code should use.
endpoint_url = “https://secretsmanager.us-east-1.amazonaws.com"
region_name = “us-east-1”
// Setup the client
session = boto3.session.Session()
client = session.client(
service_name=’secretsmanager’,
region_name=region_name,
endpoint_url=endpoint_url
)
// Use the client to retrieve the secret
try:
get_secret_value_response = client.get_secret_value(
SecretId=secret_name
)
// Error handling to make it easier for your code to tolerate faults
except ClientError as e:
if e.response[‘Error’][‘Code’] == ‘ResourceNotFoundException’:
print(“The requested secret “ + secret_name + “ was not found”)
elif e.response[‘Error’][‘Code’] == ‘InvalidRequestException’:
print(“The request was invalid due to:”, e)
elif e.response[‘Error’][‘Code’] == ‘InvalidParameterException’:
print(“The request had invalid params:”, e)
else:
// Decrypted secret using the associated KMS CMK
// Depending on whether the secret was a string or binary, one of these fields will be populated
if ‘SecretString’ in get_secret_value_response:
secret = get_secret_value_response[‘SecretString’]
else:
binary_secret_data = get_secret_value_response[‘SecretBinary’]
// Your code goes here.Attach an IAM role to an EC2 instance.
{
“Version”: “2012–10–17”,
“Statement”: {
“Sid”: “RetrieveDbCredentialFromSecretsManager”,
“Effect”: “Allow”,
“Action”: “secretsmanager:GetSecretValue”,
“Resource”: “arn:aws:secretsmanager:::secretApplications/MyApp/MySQL-RDS-Database”
}
}
Phase 3: Enable Rotation for Your Secret
- To enable rotation option, goto rotation configuration edit option.
- Set enable automatic rotation option and choose rotation interval.
- Choose to create a lambda function to perform rotation options.
- Select Secret which was stored previously.
- Rotation is being created.
- Rotation Enabled for selected days.
WordPress application server with MYSQL RDS database to store credentials in a secret Manager —
Step 1) Launched WordPress application server
Step 2) Created MYSQL RDS Database
Step 3) Store a secret key of RDS in secret manager
Step 4) Enable key rotation option with defined details
Step 5) Check configurations in secret manager using AWS CLI for wordpress application. Enabled rotation here for 30 days.
Step 6) Enabled rotation here for 60 days
Step 7) Get database credentials via AWS Command Line stored on AWS secret manager
Clean-up
Terminate EC2 Server.
Delete AWS Secret Manager.
Delete RDS Database.
Pricing
I review the pricing and estimated cost of this example. AWS Secrets Manager offers a 30-day trial period that starts when you store your first secret. Storage of each secret costs $0.40 per secret per month. For secrets that are stored for less than a month, the price is prorated based on the number of hours. There is an additional cost of $0.05 per 10,000 API calls. You can learn more by visiting the AWS Secrets Manager pricing service details page.
Cost of EC2 = $0.012 per hour = $0.024(2 hours).
Cost of RDS = $14.75 per month = $0.04(2 hours).
Cost of AWS Secrets Manager = 2 hours x ($0.40 per secret per month / 30 days / 24 hours + $0.05 per 10,000 API calls).
Summary
In this post, I had shown you how to store and rotate database credentials using AWS Secret Manager.
For more details on secrets management, Checkout Get started managing secrets, open the Secrets Manager console. To learn more, read the Secrets Manager documentation.
Thanks for reading!
Connect with me: Linkedin
Latest comments (4)
I was wondering: why did you choose using Secret Manager (and all the hassle of key rotation) instead of going for IAM database authentication?
Hi Gert, That was a good question.
Actually due to limitations of IAM database authentication and requirement to implement on existing scenario where need to configure the password based authentication only. So choosen secret manager for securing purpose.
Ok, make sense. I would add this to the article because a lot of people seem to be unfamiliar with it. I think it adds value if you would add it and why you choose not to use it. Just my 2 cents of course ;-)
Sure! Thankyou for your suggestion and really appreciate 😀