DEV Community

Cover image for Syncing AWS Secrets Manager across accounts
Siddhant Khare
Siddhant Khare

Posted on

7 1 1

Syncing AWS Secrets Manager across accounts

Introduction

In this guide, we'll explore how to synchronize AWS Secrets Manager values across two different AWS accounts using Lambda and EventBridge.

Setup

We have two AWS accounts, A and B, each running separate e-commerce sites. Account A stores database information in Secrets Manager, and Account B needs to use this data. The goal is to sync secrets from Account A to Account B whenever they change.

Solution Overview

We'll use AWS EventBridge to detect changes in Secrets Manager in Account A and trigger a Lambda function that updates Secrets Manager in Account B.

Architecture: Syncing AWS Secrets Manager across accounts

Steps

  1. Account B Preparation

    • Create Secrets Manager Secret: Name it super-top-secretB.
    • Create IAM Role: Allow switching from Account A to operate Secrets Manager in Account B.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::<AccountA-ID>:role/service-role/AccountB-SecretsManager-change-Lambda-role"
                  },
                  "Action": "sts:AssumeRole"
              }
          ]
      }
      
    • Attach Policy: Attach SecretsManagerReadWrite policy to the role.

  1. Account A Preparation

    • Create Lambda Function: This function will read secrets from Account A and write them to Account B.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::<AccountB-ID>:role/secretsmanager-change-role"
              }
          ]
      }
      
    • Attach Policies: Attach AWSLambdaBasicExecutionRole, SecretsManagerReadWrite, and AccountB-assumerole-policy.

  1. Lambda Function Code

    import boto3
    import json
    
    def lambda_handler(event, context):
        source_secret_name = "super-top-secretA"
        destination_secret_name = "super-top-secretB"
    
        client_source = boto3.client('secretsmanager', region_name='eu-west-2')
    
        sts_client = boto3.client('sts')
        assumed_role = sts_client.assume_role(
            RoleArn="arn:aws:iam::<AccountB-ID>:role/secretsmanager-change-role",
            RoleSessionName="ReplicateSecretSession"
        )
        credentials = assumed_role['Credentials']
    
        client_destination = boto3.client(
            'secretsmanager',
            region_name='eu-west-2',
            aws_access_key_id=credentials['AccessKeyId'],
            aws_secret_access_key=credentials['SecretAccessKey'],
            aws_session_token=credentials['SessionToken'],
        )
    
        secret_value = client_source.get_secret_value(SecretId=source_secret_name)['SecretString']
    
        response = client_destination.put_secret_value(
            SecretId=destination_secret_name,
            SecretString=secret_value
        )
    
        return {
            'statusCode': 200,
            'body': json.dumps('Secret replicated successfully.')
        }
    
  2. Create EventBridge Rule

    Create an EventBridge rule to detect changes in Secrets Manager in Account A and set the Lambda function as the target.

    {
      "source": ["aws.secretsmanager"],
      "detail-type": ["AWS API Call via CloudTrail"],
      "detail": {
        "eventSource": ["secretsmanager.amazonaws.com"],
        "eventName": ["PutSecretValue"],
        "responseElements": {
          "arn": ["arn:aws:secretsmanager:eu-west-2:<AccountA-ID>:secret:super-top-secretA"]
        }
      }
    }
    

Conclusion

By following these steps, you can automate the synchronization of secrets across AWS accounts using EventBridge and Lambda. This approach ensures that secrets in Account B are always up to date with changes in Account A.


Stay Connected and Get More Insights

If you found this guide helpful and are dealing with similar challenges, don't hesitate to reach out for personalized consulting at Superpeer. For more tech insights and updates, consider following me on GitHub. Let's innovate together!

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more