By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Secret Manager to hold cloudfront public key

-1

Hi, I was trying to use the CDK to initialize my cloudfront distribution. I wanted to move away from hard coding secrets in my CDK file and my cloudfront lambda, so I thought it'd be best to put both the public key and private key into the AWS secret manager, and then read them out from there. Here is how I am trying to set up the cloudfront distribution.

            cf_public_key=sm.Secret.from_secret_complete_arn(self, "CFPublicKey", "arn:aws:secretsmanager:us-west-2:<ARN>")
            cf_public_key_value=cf_public_key.secret_value_from_json("CFPublicKey").unsafe_unwrap()
            pub_key=cloudfront.PublicKey(self, "PubKey", encoded_key=cf_public_key_value)
            key_group=cloudfront.KeyGroup(self, "KeyGroup", items=[pub_key])

This fails during deployment... Should I put the public key in SSM parameter store instead, and the keep the private key in secret manager? Thx

  • Gary Mclean EXPERT
    10 months ago

    What’s the error you are receiving?

  • rrrpdx
    10 months ago

    Here was the errror:

    11:17:16 PM | UPDATE_FAILED | AWS::CloudFront::PublicKey | PubKeyB78B0EBC Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey" (RequestToken: 1f556dd6-614f-f8c3-43c2 -5c86ae9db53a, HandlerErrorCode: InvalidRequest)

Topics
ServerlessComputeNetworking & Content DeliverySecurity, Identity, & ComplianceManagement & GovernanceAWS Cloud Development Kit (CDK)
Tags
AWS LambdaAmazon CloudFrontAWS Secrets ManagerParameter StoreAWS Cloud Development Kit (CDK)
Language
English
rrrpdx
asked 10 months ago744 views
2 Answers
0

Hi, this blog post gives you all detailled information about what you want to achieve and how to implement it: https://aws.amazon.com/blogs/networking-and-content-delivery/securing-and-accessing-secrets-from-lambdaedge-using-aws-secrets-manager/

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
0

I think my issue may revolve around how to properly store the key in the secrets manager... Initially, I had the public key hardcoded in a python string and it was of the form:

public_key="-----BEGIN PUBLIC KEY----- \n...\n...\n...\n...\n...\n ...\n...\n-----END PUBLIC KEY-----"

where I had to insert \n newlines at the end of every line as I copied it from the .pem file. The hardcoded string works with the CDK. I tried placing this exact format in secrets manager and it didn't work (with the above error)... I also tried this format with SSM Parameter store, and it did not work... With SSM Parameter store, I was able to go back and paste the key in as a multiline string (where the breaks are seen at the end of each line)... If I try to do this in secrets manager, the line breaks are converted to spaces, and the key is no longer valid. I believe when i removed the spaces, the key also does not work.

rrrpdx
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content