1
00:00:00,270 --> 00:00:04,920
So now let's look into a service called Secrets manager.

2
00:00:04,920 --> 00:00:11,980
And the name is extremely obvious for one of the services that will be easily storing secrets into AWS.

3
00:00:12,030 --> 00:00:15,910
And so with this you can rotate then manage them and you retrieve them.

4
00:00:16,079 --> 00:00:17,970
And with API calls for their lifecycle.

5
00:00:18,420 --> 00:00:24,630
So the big difference of secrets manager you'll have with something like parameter store with an encrypted

6
00:00:24,960 --> 00:00:31,140
value like a secure string is that with secrets manager you can set up some rotation and you can link

7
00:00:31,140 --> 00:00:35,930
it to a lambda function that will allow you to rotate your credentials on top of it.

8
00:00:35,940 --> 00:00:43,290
It has very tight integration with RDS, Aurora postgres and so on and so the idea is that it will be a

9
00:00:43,290 --> 00:00:47,160
little bit more easy to use and more secure with this.

10
00:00:47,160 --> 00:00:52,860
But the idea is the same you're going to store secrets into a store and retrieve them at runtime.

11
00:00:52,860 --> 00:00:59,550
So the pricing is that you have 40 cents per secrets per month and five cents for 10000 API calls and

12
00:00:59,550 --> 00:01:03,420
you get a 30 day free trial available for the secret manager.

13
00:01:03,450 --> 00:01:04,050
OK.

14
00:01:04,230 --> 00:01:10,130
So it's all obviously managed by IAM for access to the do the secrets.

15
00:01:10,140 --> 00:01:12,520
So this is kind of like this similar thing to parameter restore.

16
00:01:13,080 --> 00:01:15,270
So let's go ahead and store a new secret.

17
00:01:15,840 --> 00:01:19,740
And so as you can see we get different type of secrets and I'm pretty sure they will add secrets over

18
00:01:19,740 --> 00:01:24,180
time to make this even more integrated with other AWS services.

19
00:01:24,210 --> 00:01:29,700
But we can do a credential for an RDS database a credential for a Redshift cluster for a document

20
00:01:29,700 --> 00:01:33,950
DB database for an other database or an other type of secrets.

21
00:01:33,960 --> 00:01:36,100
And this is for example an API key.

22
00:01:36,210 --> 00:01:38,090
So here this is really important.

23
00:01:38,160 --> 00:01:42,770
Whenever you have a database it will prompt you would like a user name and a password and pretty much

24
00:01:42,790 --> 00:01:44,520
username and password for everything here.

25
00:01:44,570 --> 00:01:50,220
OK but if it's an other type of secrets then you will have key value pairs that you can place and you

26
00:01:50,220 --> 00:01:57,210
will have secrets placed in here so you can set for example API key and then you would have the secret

27
00:01:57,210 --> 00:02:00,180
value of the API key.

28
00:02:00,330 --> 00:02:00,680
Right.

29
00:02:00,720 --> 00:02:02,440
And this would be the your key value pair.

30
00:02:02,460 --> 00:02:05,640
But you could have multiple ones you can just store not just one API key.

31
00:02:05,640 --> 00:02:12,450
You could store for example secrets key for the API and you have a second value.

32
00:02:12,450 --> 00:02:13,580
A second secret value.

33
00:02:13,590 --> 00:02:14,190
Right.

34
00:02:14,250 --> 00:02:15,130
So you're really free.

35
00:02:15,130 --> 00:02:16,850
You have many as many key value pairs.

36
00:02:16,860 --> 00:02:21,370
And that's also a little bit of a difference versus something like the parameter store.

37
00:02:21,480 --> 00:02:25,830
So you can do this in secret or you can also do it in plaintext in your plaintext.

38
00:02:25,930 --> 00:02:29,070
in JSON so this is would be a way to copy and paste.

39
00:02:29,070 --> 00:02:34,620
JSON if you prefer this to entering things manually in this UI then you select the encryption key.

40
00:02:35,010 --> 00:02:38,730
So do you want a default encryption key or do you want to use a KMS key you have created and so

41
00:02:38,730 --> 00:02:44,260
on to encrypt these secrets so I'll use my KMS for example and then I'll click on next.

42
00:02:44,460 --> 00:02:53,010
Then you need to give it your secret a name so I'll call it prod my secret API and then you can

43
00:02:53,010 --> 00:02:58,530
have a description and you can have tags and then you click on next and then here we can configure automatic

44
00:02:58,680 --> 00:03:00,470
or not automatic rotation.

45
00:03:00,480 --> 00:03:06,090
So that means that if you have automated rotation automatically your secrets will be rotated.

46
00:03:06,270 --> 00:03:11,870
And so that means that for example here I can say every 60 days I want you to rotate my secret.

47
00:03:11,880 --> 00:03:15,340
You can have a custom value if you wanted to the max being one year.

48
00:03:15,450 --> 00:03:19,900
And so that means that after 60 days there will be a Lambda function that will be invoked.

49
00:03:19,980 --> 00:03:26,490
And so you need to create that Lambda function and that lambda function needs to have the role to rotate

50
00:03:26,490 --> 00:03:27,300
that secrets.

51
00:03:27,330 --> 00:03:33,300
So that means for example generating a new user name or refreshing the API key credentials with a third

52
00:03:33,300 --> 00:03:33,850
party.

53
00:03:33,900 --> 00:03:36,350
And so you're free to do whatever you want with your lambda functions.

54
00:03:36,420 --> 00:03:42,900
But the idea is that after 60 days it will be invoked automatically by secrets manager to rotate the

55
00:03:42,900 --> 00:03:48,220
secret the secrets we have just stored and that makes it a really powerful secret management solution.

56
00:03:48,690 --> 00:03:52,410
So right now disable the automatic rotation and click on Next.

57
00:03:52,440 --> 00:03:58,110
And so we're good to go and we can have simple code in any of our languages that we commonly used to

58
00:03:58,110 --> 00:04:00,150
retrieve that secrets for example with Python.

59
00:04:00,270 --> 00:04:05,490
If we look at it there is a get secret function and you best in the secret name the region name and

60
00:04:05,490 --> 00:04:11,280
then you just initiate a total client to do API calls and then to get the value you do clients that

61
00:04:11,550 --> 00:04:16,410
get secret value you put in this you pass in the secret IP which is a secret name and then you get the

62
00:04:16,410 --> 00:04:21,750
response and in the response then you can just look at the keys that you need for example in the key

63
00:04:21,750 --> 00:04:27,570
value pair we had and here secret string is the value of the key you want to retrieve and that's it's

64
00:04:27,690 --> 00:04:31,050
very very fairly simple and you have this for it the language you are.

65
00:04:31,050 --> 00:04:34,700
So if you're more of a good person here's go JavaScript Java and so on.

66
00:04:34,730 --> 00:04:35,350
OK.

67
00:04:35,460 --> 00:04:39,540
And that's as easy as it is to use the secrets manager.

68
00:04:39,570 --> 00:04:42,360
And so this is just a normal key value pair of secrets.

69
00:04:42,620 --> 00:04:44,990
And let me just show you how to do our guest database.

70
00:04:45,090 --> 00:04:50,550
So I'll call this admin and then super secret password and then we would encrypt those as well.

71
00:04:51,180 --> 00:04:56,940
And similarly you can also link this to an RDS database that the secret will access.

72
00:04:56,940 --> 00:05:03,270
So the idea is that with these special integrations with RDS or redshift or document DB you would have

73
00:05:03,270 --> 00:05:06,080
to select a database to integrate this with.

74
00:05:06,120 --> 00:05:10,980
So that makes it a little bit more powerful because now the secret's manager will hold the value of

75
00:05:10,980 --> 00:05:12,720
the username and password.

76
00:05:12,750 --> 00:05:18,720
But on top of it it will also set these values on the linked RDS database automatically.

77
00:05:18,720 --> 00:05:23,900
And you can also enable rotation as well to make sure that the secret rotates every so often.

78
00:05:23,910 --> 00:05:27,780
So this wanted to just to show you this but you were not going to create an RDS database just

79
00:05:27,780 --> 00:05:31,460
for the sake of linking the secrets to it but you get the idea.

80
00:05:31,530 --> 00:05:37,170
So that's it's in a nutshell for secrets manager and when you're done you can just delete that secrets

81
00:05:37,590 --> 00:05:41,820
and you'll be good to go and you can have a waiting period as well just to make sure that it doesn't

82
00:05:41,820 --> 00:05:44,540
get updated deleted hastily.

83
00:05:44,580 --> 00:05:45,920
So that's it for this lecture.

84
00:05:45,930 --> 00:05:46,610
I hope you liked it.

85
00:05:46,710 --> 00:05:48,180
And then we'll see you in the next lecture.