# Secrets Manager & Cognito The AWS Secrets Manager is a key-value service that allows the safe storage of secrets, which can be a plain-text value or a JSON document. A secret has a name, and that name becomes its key. A successful strategy involving its use relies on a proper granular IAM permissions scheme for any resource that uses a specific secret. You can find the Secrets Manager in this link:\ ![](https://team-1600951431491.atlassian.net/wiki/download/thumbnails/360484/2020-09-23_11-56-52.png?version=1\&modificationDate=1600960489401\&cacheVersion=1\&api=v2\&width=680) | **Diagram owner** | [Data & Technology Services](https://app.gitbook.com/wiki/people/team/92ec81f5-f5e6-4a9a-9376-5eeddf86962f?ref=confluence\&src=fabric) ([Sergio Garcia](https://team-1600951431491.atlassian.net/wiki/people/5f6c958d4147d600774d5e8f?ref=confluence)) | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Team** | | | **Informed** | | | **Status** | / / / | | **Last date updated** | e.g.,24 Sep 2020 | | **On this page** | ![](https://team-1600951431491.atlassian.net/wiki/plugins/servlet/confluence/placeholder/macro?definition=e3RvYzptYXhMZXZlbD0yfG1pbkxldmVsPTJ9\&locale=en_US\&version=2) | | **Name** | **Description** | | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Operational Excellence** | The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. | | **Security** | The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. | | **Reliability** | The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. | | **Performance Efficiency** | The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve | | **Cost Optimization** | The ability to run systems to deliver business value at the lowest price point. | [AWS Well Architected Framework PDF](https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf) note ## Goals * Keep the encryption secrets safely stored * Keep the secrets centralized * Keep the encryption secrets safely stored * Keep the secrets centralized ## Architecture ![](https://team-1600951431491.atlassian.net/wiki/download/attachments/360484/secrets_manager.png?version=1\&modificationDate=1600960889663\&cacheVersion=1\&api=v2) There is no grand architecture for this service, python code using the Boto3 library should have access by just initializing a session and providing the service it wants to access. The boto library will run its magic and search for the name of the secret and provide it’s value. Whatever process is running the python code (likely a Lambda function), it requires granular permissions to access the resource. Here is the current policy [atd-moped-users-cognito-hook-secrets-access](https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn%3Aaws%3Aiam%3A%3A295525487728%3Apolicy%2Fatd-moped-users-cognito-hook-secrets-access), under the role [atd-moped-cognito-hook](https://console.aws.amazon.com/iam/home?region=us-east-1#/roles/atd-moped-cognito-hook) ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB-txVJVP", "arn:aws:secretsmanager:us-east-1:295525487728:secret:ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING-NcR6wu" ] } ] } ``` There are 4 variables needed to facilitate the authentication process: | Secret Name | Description | Date Created | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | | [ATD\_MOPED\_USERS\_COGNITO\_DYNAMODB](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#/secret?name=ATD_MOPED_USERS_COGNITO_DYNAMODB) | This is the fernet key used in python to decrypt strings in DynamoDB production table. | 9/24/2020 | | [ATD\_MOPED\_COGNITO\_HOOK\_ENV\_STAGING](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#/secret?name=ATD_MOPED_COGNITO_HOOK_ENV_STAGING) | This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the staging environment. | 9/23/2020 | | [ATD\_MOPED\_COGNITO\_HOOK\_ENV\_PRODUCTION](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#/secret?name=ATD_MOPED_COGNITO_HOOK_ENV_PRODUCTION) | This secret is used in GitHub actions to deploy the cognito lambda functions. It contains important environment variables for the production environment. | 9/23/2020 | | [ATD\_MOPED\_USERS\_COGNITO\_DYNAMODB\_STAGING](https://console.aws.amazon.com/secretsmanager/home?region=us-east-1#/secret?name=ATD_MOPED_USERS_COGNITO_DYNAMODB_STAGING) | This is is the fernet key used in python to decrypt strings in DynamoDB staging table. | 9/23/2020 | ### Architecture flow This process assumes the lambda trigger running the python code has the IAM permissions to execute and access the specific secrets. 1. The lambda executes the pre-token trigger, and runs the python code. 2. The python code attempts to fetch the encryption secret. 3. The encryption secret has the key to decrypt the claims stored in DynamoDB 4. The python code returns the decrypted claims in DynamoDB Other notes: It’s worth mentioning that each secret is considered a different resource in AWS, and has its own ARN identifier. ## Deployment strategy The secrets are created and deployed manually. ## References and documentation * Product page:\ * Python documentation:\ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://atd-dts.gitbook.io/moped-documentation/dev-guides/authentication/secrets-manager-and-cognito.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.