AWS Secrets Manager¶
DRP's Integration with Microsoft AWS Secrets Manager¶
DRP integrates with Microsoft's AWS Secrets Manager to offer a diversified secret management solution. With the this plugin, users have the option to retrieve secrets from AWS Secrets Manager, expanding the range of DRP's robust and secure secret management capabilities.
Plugin Configuration¶
The plugin must be run with the aws credential files in the home diretory of the user that DRP is running as. The profile is specified by the awssecman/aws-profile
parameter.
It defaults to default
.
To test this with the aws cli:
Alternatively, the aws key and secret can be specified by the parameters, awssecman/aws-key-id
and awssecman/aws-secret
. The profile will be ignored.
The region can be specified with awssecman/aws-region
. The default is "" which will default to the profile or the default of the key.
Optionally, set a cache timeout to store secrets from AWS Secrets Manager temporarily in memory, reducing excessive requests to the KeyVault server. This duration is in seconds, defaulting to 300 seconds.
awssecman/cache-timeout
: Duration (in seconds) to cache secrets in-memory.
Parameter expansion can be used in the URI.
Operational Configuration¶
In addition to the plugin configuration, define a lookupUri
for the secret's location:
decrypt/lookup-uri
:- Denotes the secret's storage location.
- Format:
awssecman://<ignored>?secret=<path to secret>
- Example:
awssecman://aws?secret=system/test/json&format=json
The URI can also have parameter expansions.
Usage¶
After completing both configurations, use the plugin:
# Set a machine's IPMI password to a Vault secret:
drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "awssecman://aws?secret=system/test/json&format=json" }'
# Retrieve the machine's IPMI password:
drpcli machines get Name:foo param ipmi/password --decode
This assume that there is a secret system/test/json
that is accessible by the default aws credentials in the home directory of DRP that has a json encode value.