Secrets Manager & Cognito
The AWS Secrets Manager is a key-value service that allows the safe storage of secrets, which can be a plain-text value or a JSON document. A secret has a name, and that name becomes its key. A successful strategy involving its use relies on a proper granular IAM permissions scheme for any resource that uses a specific secret.
You can find the Secrets Manager in this link:
https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#
Diagram owner
Team
@ Team member
Informed
@ Stakeholder
@ Stakeholder
Status
/ / /
Last date updated
e.g.,24 Sep 2020
On this page
Name
Description
Operational Excellence
The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
Security
The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
Reliability
The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
Performance Efficiency
The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve
Cost Optimization
The ability to run systems to deliver business value at the lowest price point.
AWS Well Architected Framework PDF
note
Goals
Keep the encryption secrets safely stored
Keep the secrets centralized
Keep the encryption secrets safely stored
Keep the secrets centralized
Architecture
There is no grand architecture for this service, python code using the Boto3 library should have access by just initializing a session and providing the service it wants to access. The boto library will run its magic and search for the name of the secret and provide it’s value.
Whatever process is running the python code (likely a Lambda function), it requires granular permissions to access the resource.
Here is the current policy atd-moped-users-cognito-hook-secrets-access, under the role atd-moped-cognito-hook
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB-txVJVP",
"arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING-NcR6wu"
]
}
]
}There are 4 variables needed to facilitate the authentication process:
Secret Name
Description
Date Created
This is the fernet key used in python to decrypt strings in DynamoDB production table.
9/24/2020
This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the staging environment.
9/23/2020
This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the production environment.
9/23/2020
This is is the fernet key used in python to decrypt strings in DynamoDB staging table.
9/23/2020
Architecture flow
This process assumes the lambda trigger running the python code has the IAM permissions to execute and access the specific secrets.
The lambda executes the pre-token trigger, and runs the python code.
The python code attempts to fetch the encryption secret.
The encryption secret has the key to decrypt the claims stored in DynamoDB
The python code returns the decrypted claims in DynamoDB
Other notes:
It’s worth mentioning that each secret is considered a different resource in AWS, and has its own ARN identifier.
Deployment strategy
The secrets are created and deployed manually.
References and documentation
Product page: https://aws.amazon.com/secrets-manager/
Last updated
Was this helpful?