Skip to content

AWS Secrets Manager

DRP's Integration with Microsoft AWS Secrets Manager

DRP integrates with Microsoft's AWS Secrets Manager to offer a diversified secret management solution. With the this plugin, users have the option to retrieve secrets from AWS Secrets Manager, expanding the range of DRP's robust and secure secret management capabilities.

Plugin Configuration

The plugin must be run with the aws credential files in the home diretory of the user that DRP is running as. The profile is specified by the awssecman/aws-profile parameter. It defaults to default.

To test this with the aws cli:

aws secretsmanager list-secrets

Alternatively, the aws key and secret can be specified by the parameters, awssecman/aws-key-id and awssecman/aws-secret. The profile will be ignored.

The region can be specified with awssecman/aws-region. The default is "" which will default to the profile or the default of the key.

Optionally, set a cache timeout to store secrets from AWS Secrets Manager temporarily in memory, reducing excessive requests to the KeyVault server. This duration is in seconds, defaulting to 300 seconds.

  • awssecman/cache-timeout: Duration (in seconds) to cache secrets in-memory.

Parameter expansion can be used in the URI.

awssecman://aws?secret=machines/{{.Machine.Name}}/json&format=json

Operational Configuration

In addition to the plugin configuration, define a lookupUri for the secret's location:

  • decrypt/lookup-uri:
    • Denotes the secret's storage location.
    • Format: awssecman://<ignored>?secret=<path to secret>
    • Example: awssecman://aws?secret=system/test/json&format=json

Usage

After completing both configurations, use the plugin:

# Set a machine's IPMI password to a Vault secret:
drpcli machines set Name:foo param ipmi/password to '{ "LookupUri": "awssecman://aws?secret=system/test/json&format=json" }'

# Retrieve the machine's IPMI password:
drpcli machines get Name:foo param ipmi/password --decode

This assume that there is a secret system/test/json that is accessible by the default aws credentials in the home directory of DRP that has a json encode value.