AWS Secman Configuration¶

The awssecman plugin integrates DRP with AWS Secrets Manager as a secure parameter store. Once configured, DRP parameters can reference secrets stored in AWS Secrets Manager using a lookup URI scheme rather than storing secret values directly in DRP.

Installation¶

Bash

drpcli catalog item install awssecman

The awssecman plugin provider requires the drp-community-content content pack (version 4.8.0 or later) to be installed first.

Authentication Configuration¶

The plugin uses the AWS credential file in the home directory of the user running DRP. The default profile is default. Test access with the AWS CLI before configuring the plugin:

Bash

aws secretsmanager list-secrets

Set the profile on the plugin object:

Parameter	Description	Default
`awssecman/aws-profile`	AWS credential profile to use	`default`
`awssecman/aws-region`	AWS region for the Secrets Manager endpoint	(uses profile default)
`awssecman/aws-key-id`	AWS Access Key ID (overrides credential file)	`""`
`awssecman/aws-secret`	AWS Secret Access Key (overrides credential file)	`""`
`awssecman/cache-timeout`	Seconds to cache secrets in memory	`300`

When awssecman/aws-key-id and awssecman/aws-secret are both set, they take precedence over the local credential file and the profile setting is ignored.

Plugin Creation¶

The awssecman plugin is auto-started — it does not require a separate plugin instance to be created. Configure it by setting the above parameters on the installed plugin provider. If you need to create an explicit plugin instance:

Bash

drpcli plugins create '{
  "Name": "my-awssecman",
  "Provider": "awssecman",
  "Params": {
    "awssecman/aws-region": "us-east-1",
    "awssecman/cache-timeout": 300
  }
}'

Using Secrets in Parameters¶

Reference AWS secrets in DRP parameters using the awssecman:// URI scheme. Set the decrypt/lookup-uri on a machine parameter to point to a secret in Secrets Manager:

Bash

# Store an IPMI password reference (the secret value stays in AWS)
drpcli machines set Name:my-server param ipmi/password to \
  '{ "LookupUri": "awssecman://aws?secret=system/test/json&format=json" }'

# Retrieve and decrypt the secret
drpcli machines get Name:my-server param ipmi/password --decode

The URI format is: awssecman://<ignored>?secret=<path-to-secret>&format=json

The format=json option causes the returned string to be parsed as JSON and injected as a structured object. Omit format to receive the secret value as a plain string.

Template expansion is supported in the URI path, allowing machine-specific secret lookups:

Text Only

awssecman://aws?secret=machines/{{.Machine.Name}}/json&format=json

Troubleshooting¶

Set the plugins log level to trace to enable verbose logging:

Bash

drpcli prefs set logLevel plugins:trace

Reset after troubleshooting to avoid log flooding and potential exposure of sensitive values.