Postman and AWS secrets Manager

#aws #postman #secretsmanager #api

Hello,
Recently, the project (website) I am working on was attacked :( we decided it's time to analyse the code to find if there is any vulnerabilities to correct in order to improve the security (so we postpone the work that we had plan to do to implement new features). We were shocked to discover that many credentials that we use to access API are hardcoded in the application! we have decided to use AWS Secrets Manager in order to manage different passwords of API used in our app.

I never worked with AWS Secrets Manager, so it was for me the opportunity to use it. Here is the first steps that allow me to retrieve my password from AWS Secrets Manager using Postman :

I created a pair of value, key at AWS Secrets Manager, it's simple and well explained at this link :
https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html#tutorial-basic-step1
In order to access to the value stored, I added a Permission Policy SecretsManagerReadWrite, more information at the documentation :
https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html
Everything is ready to test retrieving the value via Postman :
the Endpoint : https://secretsmanager.REGION_ID.amazonaws.com/GetSecretValue

In the body, I specified the secretId that I took from AWS Secrets Manager:

and voila, the result :

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →