Secretless Python Apps with AWS Secrets Manager

The AWS Secrets Manager is a service that allows users to securely store and manage secrets, such as database credentials and API keys. This is necessary when building any type of application that needs to interact with other services, regardless if you're using Python or any other language. By keeping sensitive information out of your codebase and in Secret Manager, you reduce the risk of it being exposed and allows for central management of all secrets, including auditing, auto-rotation and fine-tuned access controls...

To use the Secrets Manager with Python, you will first need to create a secret that contains the sensitive information you want to store. This can be done through the AWS Management Console, the AWS CLI, or the AWS Secrets Manager API. In this instance, we'll use the AWS CLI to create a secret:

aws secretsmanager put-secret-value \
    --secret-id "my-secret" \
    --secret-string "my-secret-value" \
    --region "us-east-1"

Once you have created a secret, you can retrieve its value using the AWS Secrets Manager Python client. To do this, you will need to install the boto3 library, which is the official Python library for AWS. Why boto3 and not a more descriptive, meaningful name, is beyond me. Next, we need to import the client class from the boto3.secretsmanager module.

# Create an instance of the client class
secrets_manager_client = client()

# Retrieve the secret's value
secret_value = secrets_manager_client.get_secret_value(SecretId="my-secret")

Once you have retrieved the secret's value, you can use it in your Python code as needed. For example, if the secret contains a database password, you could use it to connect to the database using the psycopg2 library.

# Import the connect() function from the psycopg2 library
from psycopg2 import connect

# Connect to the database using the secret value
database_connection = connect(
    host="database-host",
    database="database-name",
    user="database-user",
    password=secret_value["SecretString"]
)

Improve the security posture of your app

To further improve the security posture of your app, it's highly recommended to use a specific AWS account and a locked down IAM policy. To create an AWS IAM read-only policy for a secret called "my-secret" in Secrets Manager, you can use the following policy statement:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowReadingOfMySecret",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:<region>:<account-id>:secret:my-secret-*"
            ]
        }
    ]
}

This policy allows the IAM user or role to which it is attached to only read the value of the secret with the identifier "my-secret" using the GetSecretValue action. It also allows the user or role to list the versions of the secret using the ListSecretVersionIds action.

Make sure to replace <region> and <account-id> with the appropriate values for your AWS account. You can also customize the policy by adding or removing actions and resources (like more secrets that are used by your app) as needed.