💍 aws-vault-lite: One AWS Secret to Rule Them All

This is a submission for the Amazon Q Developer "Quack The Code" Challenge: Exploring the Possibilities

What I Built

At my company, we still don’t have a proper tool to manage secrets. So, naturally, people come up with their own solutions—some of them not very secure.

I had the idea of using AWS Secrets Manager as a secure place to store our secrets. But there was a challenge:
We didn’t want to create a separate secret for every single thing. Some secrets might never even be used, and at $0.40 per secret, that adds up quickly.

Then I discovered that a single AWS Secret can store up to 64KB, which is more than enough for a bunch of simple strings.

That got me thinking...
What if I could build a secret manager using just one AWS Secret?

So I did it! :)

Introducing aws-vault-lite — a lightweight secret manager I built in just one night (with a hand from Amazon Q).

What is?
The Single Secret Design (SSD) is a cost-effective and flexible strategy for managing secrets in AWS Secrets Manager. Instead of creating individual secrets for every credential or config item, SSD consolidates all secrets for a single department (e.g., CloudOps, Networking, Infra) into one structured JSON secret, significantly reducing monthly costs and improving manageability.

That was a pretty polite intro, wasn’t it?
But hey, this is going on my GitHub, so I had to make it sound somewhat professional. 😅
(You know, for the future me, recruiters, and curious developers judging my README skills.)

Demo

This what you could expect from the app.

Code Repository

Try it at:
https://github.com/fabiocore/aws-vault-lite

How I Used Amazon Q Developer

I always like to start with a file that gives some context to the LLM, so I created the repo and added a README.md file first.

The README.md gives a high-level overview of what we’re about to build — what it is, what it does, and why it’s useful. No implementation details yet, just the big picture.

It ended up being pretty short — about a page and a half. Just enough to set the stage.

Now let me show you my PROMPT skills... 😅

1st PROMPT

> Let's create the project in this folder.
First of all, take a look in the README.md file and make a resume of what do you understand about it.

Based on the README.md file, I understand that this project is about implementing the Single Secret Design (SSD) pattern for AWS Secrets Manager. Here's a summary of the key
points:

1. Purpose: SSD is a cost-effective approach to manage secrets in AWS Secrets Manager by consolidating multiple credentials into a single JSON secret per department.

2. Structure: Each secret is organized as a JSON object where:
   • Keys represent systems or tools (like "argocd-staging" or "terraform-provisioner")
   • Values are flexible objects containing credentials (username, password, URL, etc.)

3. Benefits:
   • Cost efficiency: Reduces the $0.40/secret/month pricing by using fewer secrets
   • Security: Maintains centralized encryption with IAM access control
   • Flexibility: No rigid schema requirements
   • Simplicity: Easy integration with AWS SDKs and CLI
   • Scalability: Can store many credentials (up to 64KB) in a single secret

4. Use Cases: Designed for teams like CloudOps, Infrastructure, and Networking to store various credentials for tools, systems, and services.

It seems the project "aws-vault-lite" will likely be a tool to implement this Single Secret Design pattern, providing a simpler interface to manage these consolidated secrets
in AWS Secrets Manager.

Would you like me to help you set up the initial project structure based on this understanding?

2nd PROMPT

> ok, we will use Python to create it, but I would like to do something graphical, simple but graphical, not cli.
what do you recommend me to use?

For a simple graphical Python application to implement the Single Secret Design pattern, I'd recommend using one of these frameworks:

1. Tkinter - Built into Python's standard library, making it easy to get started without additional dependencies. It's lightweight and works well for simple interfaces.

2. PyQt5/PySide6 - More modern-looking UI with comprehensive widgets. Good for creating professional applications with more complex interfaces.

3. Kivy - Cross-platform framework that works well on desktop and mobile, though it has a steeper learning curve.

4. CustomTkinter - A modern-looking extension of Tkinter with better-looking widgets and themes.

For this project, I'd recommend either Tkinter or CustomTkinter since:
• They're lightweight and perfect for simple applications
• Easy to learn and implement
• CustomTkinter gives a more modern look while maintaining Tkinter's simplicity
• Both are well-suited for creating forms and interfaces to manage JSON data

Would you like me to help you set up a basic structure using one of these frameworks? CustomTkinter would give you a more modern look with minimal additional complexity.

3rd PROMPT

> ok, lets try CustomTkinter.
What I expect from this app:

• The user will execute python3 aws-vault-lite.py and a interface will be loaded.
• The interface will use the env variables AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN(if exists)
• If the secret /aws-vault-lite/vault doesn't exist, the app will ask the user to create it.
• If it already exists the app will open and the user will see the secrets names on the left and the values on the center/center-right.
• The user can add new items, the attributes are flexible, the secret name is mandatory.
• Password values are hidden by default and a text 'show hidden' is available for the user to show all hidden contents in that secret.
• The user should confirm before deleting a secret.

Think step by step, think hard, give me an overview of you deployment plan and how the interface will look like at your perspective right now. Wait my agreement before creating the code.

The response from Amazon Q was...

I'll design a CustomTkinter application for the aws-vault-lite project based on your requirements. Let me think through this step by step.

Deployment Plan

1. Project Setup

• Create the main Python file aws-vault-lite.py
• Set up dependencies (CustomTkinter, boto3 for AWS interaction)
• Create a requirements.txt file

2. AWS Authentication

• Read AWS credentials from environment variables
• Implement AWS Secrets Manager client initialization
• Add error handling for missing credentials

3. Secret Management

• Function to check if /aws-vault-lite/vault exists
• Create secret functionality if it doesn't exist
• Load secret data if it exists
• Functions for CRUD operations (Create, Read, Update, Delete)

4. UI Components

• Main window with split layout
• Left panel: List of secret names (keys)
• Right panel: Form to view/edit secret details
• Add/Edit/Delete buttons
• Password field handling with show/hide functionality
• Confirmation dialogs for destructive actions

5. Data Handling

• JSON parsing and formatting
• Data validation
• Error handling

Interface Design

+-----------------------------------------------+
| AWS Vault Lite [X] |
+---------------+-----------------------------+
| Secret List | Secret Details |
| | |
| [argocd-stag..]| Name: argocd-staging |
| [terraform-p..]| |
| [site-xyz ]| Attributes: |
| | user: admin |
| | password: •••••• [Show] |
| | url: https://argocd... |
| | |
| | [+ Add Attribute] |
| | |
+---------------+-----------------------------+
| [+ Add Secret] [Save] [Delete Secret] |
+-----------------------------------------------+

Key UI Features:

1. Left Panel: Scrollable list of secret names
2. Right Panel: • Secret name field • Dynamic attribute fields (key-value pairs) • Password fields masked with dots and individual "Show" buttons • Button to add new attributes
3. Bottom Controls: • Add new secret • Save changes to current secret • Delete current secret (with confirmation)

User Flow:

1. App starts, checks AWS credentials
2. Checks if /aws-vault-lite/vault exists • If not, shows dialog to create it • If yes, loads secret data
3. User can select secrets from the left panel
4. Selected secret details appear in the right panel
5. User can edit values, add/remove attributes
6. Changes are saved to AWS when "Save" is clicked
7. Confirmation dialog appears for destructive actions

Does this approach align with your vision for the application? Would you like me to make any adjustments before I start creating the code?

4th PROMPT

> how it will look like to add a new secret? can you describe/design for me?

When adding a new secret in the AWS Vault Lite application, here's how the interface would look and function:

Adding a New Secret - Interface Design

When the user clicks the "+ Add Secret" button at the bottom of the main window, a new view would appear in the right panel:

+-----------------------------------------------+
| AWS Vault Lite [X] |
+---------------+-----------------------------+
| Secret List | New Secret |
| | |
| [argocd-stag..]| Secret Name*: [_____] |
| [terraform-p..]| |
| [site-xyz ]| Attributes: |
| | |
| | Key: [_____] |
| | Value: [________] [🔒] |
| | |
| | [+ Add Another Attribute] |
| | |
| | |
+---------------+-----------------------------+
| [+ Add Secret] [Save] [Cancel] |
+-----------------------------------------------+

Process Flow:

1. Initial State:
   • The right panel clears and shows a form with:
   • Required "Secret Name" field (marked with )
   • One initial attribute row with key-value fields
   • A lock/unlock toggle button (🔒) next to value fields to mark as password
   • "+ Add Another Attribute" button

2. Adding Attributes:
   • When the user clicks "+ Add Another Attribute", a new row appears:

   Key: [________]
   Value: [________] [🔒]

• Each row also gets a small "X" button to remove that attribute

1. Marking Password Fields:
   • Clicking the lock icon (🔒) marks that value as a password field
   • Password fields will be displayed as dots (•••••) when viewing later

2. Validation:
   • The "Save" button is disabled until the required Secret Name is filled
   • Secret names must be unique (validation against existing names)
   • Empty attribute rows are ignored when saving

3. Saving:
   • When the user clicks "Save", the application:
   • Validates all inputs
   • Creates a new entry in the JSON structure
   • Updates the AWS secret
   • Adds the new secret name to the list on the left
   • Shows the newly created secret details

4. Cancellation:
   • "Cancel" button clears the form and returns to the previously selected secret
   • Or shows empty state if no secrets exist

This design provides a simple, intuitive way for users to add new secrets with flexible attributes while ensuring the required information is provided.

After that, I asked for the first draft — but it turns out the result was pretty much perfect on the first try!
Honestly, I’m impressed! 🎯✨

Done

I ran into a few issues while installing the dependencies on my machine (because of course I did 😅).
Amazon Q helped fix some minor problems related to loading environment variables and setting the default region — just small tweaks overall.

Now it’s working like a charm, and honestly, it feels like a great fit for small teams.

It still needs a few perks — like the ability to select a specific key, and maybe even support for password-based encryption so multiple teams can safely share secrets within a single AWS account.

Feel free to fork it and ask Amazon Q to tweak it to your needs. That’s what I did, and look how far we got! 😄🔧

That’s all, folks! Thanks for reading — and may your secrets always stay secret. 🕵️‍♂️🔐

Comments

[Nathan Tarbert]

honestly this is sick, i love stuff that just cuts costs with actual real-world fixes. you think anyone actually notices how much teams waste on secret sprawl till the bill hits?

[Gavin Rose]

Love this idea!

[Fabio Ferreira]

Thank you!