Questions tagged with AWS Secrets Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Most AWS services are metered as multiple dimensions yet in Cost Explorer I can only see a single $ value which represents the service charge. For example. Secrets manager is priced as a combination of $0.40 per secret per month + $0.05 per 10,000 API calls. If my monthly charge is $15/month, how can I see a detailed breakdown of the billed API calls that have been charged? Thanks!
1
answers
0
votes
8
views
asked a day ago
For a MySQL database, I turned on "Manage master credentials" in AWS console. I decided to use a "master password" instead. When I uncheck the ManageMasterUserPassword and assign a "master password", AWS console gives me an error , "You can't specify MasterUserPassword for an instance with ManageMasterUserPassword enabled."
1
answers
0
votes
20
views
Carlos
asked a day ago
## Issue We have an Aurora PostgreSQL version 14.5 RDS cluster. We have a secret in SecretsManager with credentials for a user we want to rotate the password for. When rotating the secret, the Lambda gets stuck at the `setSecret` step with the error `Unable to log into database with previous, current, or pending secret`. We have determined that this relates to the `password_encryption` option in the cluster parameter group. If we set it to `md5` (whereas the default is, I believe, `scram-sha-256`) the rotation will work again _after_ we update it manually. We can then rotate it as many times as we want. ### Question How can we get the secret rotation to work while using the default cluster parameter group for an Aurora PostgreSQL cluster? ### To reproduce 1. Have a secret [formatted as expected](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html#reference_secret_json_structure_rds-postgres). 2. Have a Lambda running the [python code provided by AWS](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py). 3. Have a version 14.5 Aurora PostgreSQL cluster using the `default.aurora-postgresql14` cluster parameter group. 4. Click the "Rotate secret immediately" button in the console 5. In Lambda logs, see the error `setSecret: Unable to log into database with previous, current, or pending secret of secret arn arn:aws:secretsmanager:....` ### How to Recover 1. Create a new cluster parameter group that is a copy of `default.aurora-postgresql14` 2. Change the `password_encryption` to be `md5` 3. Apply this new parameter group to the cluster 3. Cancel the secret rotation: `aws secretsmanager cancel-rotate-secret --secret-id ....` 4. Manually change the password on the user to a new one 5. Update the secret with the new password 6. click the "Rotate secret immediately" button in the console
1
answers
0
votes
15
views
asked a day ago
I am manually uploading the aws credentials file which contains access key , secret key, session token and many more. I am trying to fetch the secret values in my secret manager through java code. Currently i am using GetSecretValueResponse for fetching the values and AWSCredsProvider(access key, secret key) as my credentials provider. It is expecting it to be instanceof AwsSessionCredentials( access key , secret key, session token) but this is a final class, So how can I make my java code utilize the session token that is being provided in the file that I uploaded initially? <dependency> <groupId>software.amazon.awssdk</groupId> <artifactId>secretsmanager</artifactId> <version>2.20.22</version> </dependency> dependancy that i have used. ERROR: The security token included in the request is invalid. (Service: SecretsManager, Status Code: 400, Request ID: 7b4d76ea-389f-4068-8fde-577224a67f5c)
1
answers
0
votes
29
views
asked 9 days ago
I am using AWS EC2 instance and I can connect to it using username and key-value pair (file). But I'd need to connect (over Wordpress) to the server and it's asking me to enter a password. How and where can I find the password which I can type in? (The only password, or better said private key, I am familiar with is in the .pem file) Here is the screenshot: https://prnt.sc/gAdr9Y0DSaJb Thanks!
1
answers
0
votes
27
views
asked 16 days ago
I'm building a full stack application with Next.js framework and want to deploy it to App Runner. How ever Next.js needs to have enviromental variables (secrets) on build time, otherwise build fails. This is stated clearly on Next.js documentation. How ever it seems that in App Runner I'm only able to expose environmental variables on runtime. Is there any way to get secrets from secret manager and set env values on build time? I do not wish to have my ens on client side so NEXT_PUBLIC_ prefix is not a solution around this. I'm using apprunner.yml config file and deploy automatically from Github repository. Here is my apprunner.yml config file content: version: 1.0 runtime: nodejs16 build: commands: build: - yarn --production - yarn build run: command: yarn start network: port: 3000 env: - name: PRIMARY_DB_NAME value: "primary" secrets: - name: DB_URI value-from: "arn:here"
1
answers
0
votes
36
views
asked 19 days ago
Aurora MySQL serverless 1 is no longer supported (for creation), yet all of the documentation is still pointing towards serverless v1. I am using MySQL serverless v2 with secrets manager and I have a python module that is able to connect to the writer endpoint alright without RDS proxy. For following the lambda function examples, I have created an RDS proxy, however I am finding a hard time finding reliable lambda code examples, especially in javascript that can successfully connect to my Aurora serverless v2. The goal is to have this connection be triggered by cognito events.
1
answers
0
votes
54
views
asked 24 days ago
Hi there, I am attempting to use the extension in the title following the guide mentioned [here](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html) and I am unfortunately hitting an issue where the extension starts and awaits requests (I can see this in the logs from setting the debug flag) although when I send the request, it times-out. I have set the timeout of the lambda to the maximum potential value with the same effect. ![Function logs](/media/postImages/original/IM1uxBkbD2RIKUjKMwimzrfg) I have set my lambdas execution role in the following manner: ![Lambda policy](/media/postImages/original/IMfHKKLSJuT-S3iZxlF9FjMQ) The runtime of my function is arm64 using TypeScript. My code to request my secret is as follows: ![Code which fetches secret](/media/postImages/original/IM5mWYT8AhTC2dlMHQJBmlJg) I have been trying different things all to no avail as the application still times out. Any help on what is going on here would be greatly appreciated.
2
answers
0
votes
43
views
nifty
asked 25 days ago
Hi, While trying to deploy the AWS Apprunner service which is a Spring boot application integrated with AWS Secret Manager, The deployment fails citing the reason : > com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to secretsmanager.eu-west-1.amazonaws.com:443 I am using a VPC connector to enable an RDS connection for the application. Any insights on fixing this issue would be really helpful
0
answers
0
votes
23
views
asked a month ago
I have configured an MSK cluster and allowed public access through SASL/SCRAM authentication method. Now I am facing an issue where I do not have the necessary permissions when using these credentials (specified in the Secrets Manager created with a custom key). The connecting client can perform certain operations but fails to fetch or create topics, nor publish a new message to the existing topic. I am using confluent and C# and here is an example of the configuration of my client. ``` BootstrapServers = Config.KafkaBootstrapServers, SaslMechanism = SaslMechanism.ScramSha512, SecurityProtocol = SecurityProtocol.SaslSsl, SaslUsername = Config.Username, // username from secrets manager SaslPassword = Config.Password, // password from secrets manager ClientId = Config.Client, Acks = Acks.All ``` How can I assign higher permissions? Since it is a managed Kafka service, there is no option to modify this on the broker level. And since there is no user behind these credentials, I cannot assign a specific policy to it. What are the options here?
1
answers
0
votes
50
views
hcerim
asked a month ago
Hello, I would like to host my backend application using the Lightsail container service using docker image and Github CI/CD (Build the image, push it to lightsail, create deployment). The application should have few secrets like RDS credentials, external services API keys etc. How can I manage those secrets? I know I can use environment variables when creating the deployment, but that doesn't seem secure, as those variables are visible as plain text in the console. That doesn't seem like the best approach.
1
answers
0
votes
23
views
asked a month ago
I have a Fargate service in a public subnet. I've tried to limit the Public Subnet inbound traffic through Network ACLs with the following rules: ![Enter image description here](/media/postImages/original/IMsVi-wzXdRvu_wj5ADrFHcQ) As you can see all inbound traffic except for ports 80 and 443 are blocked by rule 300. All outbound traffic are allowed: ![Enter image description here](/media/postImages/original/IMXmsVaagfRUima6VuqcTfhQ) I have also added a VPC Endpoint to my VPC for the Secrets Manager since reading [this article](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-unable-to-pull-secrets/) and still am getting this error when trying to start Fargate tasks: ![Enter image description here](/media/postImages/original/IMtJUl1FYJTLGBamqAhS-0yQ) I tried to use VPC flow logs to detect what's being denied but am unable to spot anything meaningful. What I'm sure about is that when rule 300 is removed all tasks will start as expected. Could someone point out what about denying all other inbound traffic is stopping Fargate tasks from accessing the Secrets Manager?
1
answers
0
votes
39
views
asked a month ago