I’m glad it was helpful😄 By the way, I will make a new video about the Lambda Extensions API which which introduces a new way of communicating with AWS Parameter Store from a Lambda function. This may be something you want to look into as well😊 aws.amazon.com/blogs/compute/using-the-aws-parameter-and-secrets-lambda-extension-to-cache-parameters-and-secrets/
thank you, this is very helpful. I have a project where I have to use AWS Secret Manager instead of the Vault tool for managing secrets. will try to just follow along your steps
Hi, In this video I retrieve the secret as a json object, containing both the key and value. Then I pass the whole json object as http headers in the http request later on in the video. Therefor never extracting just the value. I hope this answered your question? Sorry for the late reply 😅
Very useful session, thank you! But I need your help or assistance for automatic rotation api Keys by Secrets manager with lambda function. Pls help lambda function code for api Keys rotation? Thank you
Thank you! 😄 So, if I understand correctly you need help writing a lambda function that can be used for Key rotation in AWS Secrets Manager? I can for sure make a video about that 😄
Hai Endre, That is a great tutorial with a clear explanation. Btw, I had a question about lambda services, and really appreciate it if you can address it, " The Question that I want to encrypt my Script / Code that I posted on top of Lambda as function, so not everyone can see access and copy the script . is it possible? if yes, how can I do that?? Thanks in advance
Hi :) Thank you so much! Regarding your question. I wonder why you would need to encrypt the code itself? Since only people with access to your AWS account will be able to read the code (unless you store it in a public git repository, but that's another issue). As to if it is possible, I haven't seen a way to do this so my guess is that it's not possible, but I could be wrong. I hope this was helpful, but please let me know if I may have misunderstood! :)
Hi 😄 Yes that is possible. You can use Resource permissions in the Secret configuration to allow access to different accounts and I think even to specific IAM roles in that account. This could be a topic for a new video, but for now I hope these resources can help you! 😄 Attaching permissions Policy to secrets: docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html Example of an permission policy: docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
Hi 😄 The API_URL is just the URL for an API that I had created for this demo. It was just an example API that required an API key, and it don't exist anymore on that URL anymore. The BIRD_ID (I guess that's what you ment by "BIRD_API") is just a query parameter the api required me to provide. Again this was just for demo purposes, so your API may not need a query parameter. The important takeaway here is just how to make use of Secrets Manager store sensitive information such as API keys, as well as how to retrieve them 😊 I hope this was helpful, if it didn't answer your question please let me know😄
Great, tutorial! However if the secret_name or arn are exposed on the lambda that wouldn't be a security fault? is there any way to not expose this data in code?
Thank you for the question 😄 Just to clarify, I'm no security expert, but I think that the secret_name is not sensitive information. Secrets stored in AWS Secrets Manager are not accessible unless you specifically give applications or users access to them, using IAM policies. You can of course store the secret_name in an environment variable that's accessible for your Lambda function (which you probably should anyways). That way it's not hard coded in your function code. The reason I hard coded the secret_name in the function code, was just for simplicity’s sake. The ARN of an AWS secret on the other hand, does contain your AWS account ID, and that’s maybe something you don’t want to share with the world. Then again, it’s not like sharing the account ID would give an attacker direct access your AWS account. But as a rule of thumb maybe not share the ARN when it contains your account ID.
Thanks for this great video. Very helpful
Thank you! I’m glad you found it helpful😄
Great video
Thank you! 😄
@@EndreSynnes i struggled for 1.5 days and after that I saw your video
My reaction: Boom there is a solution 😊😊 💐
I’m glad it was helpful😄 By the way, I will make a new video about the Lambda Extensions API which which introduces a new way of communicating with AWS Parameter Store from a Lambda function. This may be something you want to look into as well😊 aws.amazon.com/blogs/compute/using-the-aws-parameter-and-secrets-lambda-extension-to-cache-parameters-and-secrets/
thank you, this is very helpful. I have a project where I have to use AWS Secret Manager instead of the Vault tool for managing secrets. will try to just follow along your steps
Thank you! I hope this video will help you with your project :D
why is the secret is stored in key-value pair 1:27, but you dont need to use the key to get the value?
Hi, In this video I retrieve the secret as a json object, containing both the key and value. Then I pass the whole json object as http headers in the http request later on in the video. Therefor never extracting just the value.
I hope this answered your question? Sorry for the late reply 😅
Very useful session, thank you!
But I need your help or assistance for automatic rotation api Keys by Secrets manager with lambda function.
Pls help lambda function code for api Keys rotation? Thank you
Thank you! 😄
So, if I understand correctly you need help writing a lambda function that can be used for Key rotation in AWS Secrets Manager? I can for sure make a video about that 😄
@@EndreSynnes yes pls, thank you!
Hai Endre,
That is a great tutorial with a clear explanation.
Btw, I had a question about lambda services, and really appreciate it if you can address it,
" The Question that I want to encrypt my Script / Code that I posted on top of Lambda as function, so not everyone can see access and copy the script
. is it possible? if yes, how can I do that??
Thanks in advance
Hi :)
Thank you so much!
Regarding your question. I wonder why you would need to encrypt the code itself? Since only people with access to your AWS account will be able to read the code (unless you store it in a public git repository, but that's another issue). As to if it is possible, I haven't seen a way to do this so my guess is that it's not possible, but I could be wrong.
I hope this was helpful, but please let me know if I may have misunderstood! :)
How can we give a lambda function access to secret manager which is present in different account?
Hi 😄
Yes that is possible. You can use Resource permissions in the Secret configuration to allow access to different accounts and I think even to specific IAM roles in that account. This could be a topic for a new video, but for now I hope these resources can help you! 😄
Attaching permissions Policy to secrets: docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html
Example of an permission policy: docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
From where must we take the API_URL & BIRD _API ?
Hi 😄
The API_URL is just the URL for an API that I had created for this demo. It was just an example API that required an API key, and it don't exist anymore on that URL anymore.
The BIRD_ID (I guess that's what you ment by "BIRD_API") is just a query parameter the api required me to provide. Again this was just for demo purposes, so your API may not need a query parameter. The important takeaway here is just how to make use of Secrets Manager store sensitive information such as API keys, as well as how to retrieve them 😊
I hope this was helpful, if it didn't answer your question please let me know😄
Great, tutorial!
However if the secret_name or arn are exposed on the lambda that wouldn't be a security fault?
is there any way to not expose this data in code?
Thank you for the question 😄
Just to clarify, I'm no security expert, but I think that the secret_name is not sensitive information. Secrets stored in AWS Secrets Manager are not accessible unless you specifically give applications or users access to them, using IAM policies. You can of course store the secret_name in an environment variable that's accessible for your Lambda function (which you probably should anyways). That way it's not hard coded in your function code. The reason I hard coded the secret_name in the function code, was just for simplicity’s sake.
The ARN of an AWS secret on the other hand, does contain your AWS account ID, and that’s maybe something you don’t want to share with the world. Then again, it’s not like sharing the account ID would give an attacker direct access your AWS account. But as a rule of thumb maybe not share the ARN when it contains your account ID.