LogoLogo
  • Technical Direction
  • Technical overview
    • Technical Implementation
    • API Design Guide
      • Data Definitions and Standards
      • Data Transfer Objects
      • Documentation
      • Environments
      • Error Handling
      • Example API Service
      • GraphQL Naming Conventions
      • Methods
      • Naming Conventions
      • Once Only Principle
      • Pagination
      • Resource Oriented Design
      • REST Request
      • REST Response
      • Security
      • Versioning
    • Ísland.is Public Web Data Flow
    • Code Reviews
    • Code Standards
    • Monorepo
    • Project Management
    • Teamwork
    • Architectural Decision Records
      • Use Markdown Architectural Decision Records
      • Use NX
      • Continuous Integration
      • CSS
      • Branching and Release Strategy
      • Error Tracking and Monitoring
      • What API Management Tool to Consider
      • Viskuausan Static Site Generator
      • Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization
      • Unified Naming Strategy for Files and Directories
      • CMS
      • Open Source License
      • What Chart Library Should We Use Across Island.is?
      • What Feature Flag Service/application Should We Use at Island.is?
      • Logging, Monitoring and APM Platform
      • ADR Template
    • Log Management Policy
  • Products
    • Island.is Authentication Service
      • Terminology
      • Integration Options
      • Authentication Flows
      • Authorising API Endpoints
      • Session Lifecycle
      • Scopes and Tokens
      • Delegations
      • Configuration
      • Tools and Examples
      • Environments
      • Test IAS with Postman
    • Notifications / Hnipp
      • New Notification Setup Guide
      • Notifications service workflow overview
      • Email notifications
    • Pósthólfið
      • Security Checklist
      • Introduction
      • Skjalatilkynning API
      • Skjalaveita API
      • Sequence Diagram
      • Interfaces
    • Straumurinn (X-Road)
      • Architecture Guidelines for Service Providers and Consumers
      • Setting up an X-Road Security Server
        • Network Configuration
      • X-Road - Uppfærsla á öryggisþjónum
      • Straumurinn - Notkun og umsýsla
      • X-Road Central - current version
  • Development
    • Getting Started
    • Generating a New Project
    • Definition of done
    • Devops
      • Continuous Delivery
      • Database
      • Dockerizing
      • Environment Setup
      • Logging
      • Metrics
      • NextJS Custom Server
      • Observability
      • Operations Base Principles
      • Security
      • Service Configuration
      • Support
    • AWS Secrets
    • Feature Flags
    • Documentation Contributions
    • Defining Monorepo Boundaries With Tags
    • OpenAPI
    • Code Generation
    • Workspace Settings (Deprecated)
    • External Contributions
  • REFERENCE
    • Problems
      • 400 Validation Failed
      • 400 Attempt Failed
      • 403 Bad Subject
      • 400 500 Template API Error
    • Glossary
  • Misc
    • Guide: Adding a Payment Step to an Application
    • Guide: Enable Organisations to Make Requests to an Application
    • README Template
Powered by GitBook
On this page
  • Prerequisites
  • Getting started
  • Using AWS SSO
  • Using AWS session
  • Usage to fetch secrets
  • Troubleshoot
  • Usage to create secrets
  • Example
  • Finalizing creating secrets
  • Making dev secrets available locally
  • Environment variables with static websites
  • Running proxy against development service

Was this helpful?

  1. Development

AWS Secrets

PreviousSupportNextFeature Flags

Last updated 7 months ago

Was this helpful?

Prerequisites

  • You will need installed.

  • You have installed.

    • brew install jq

  • You will also need access to the AWS account. Ask someone from DevOps to send you an invitation.

Getting started

Using AWS SSO

Using SSO is the most straight forward solution. You won't need to go by yourself on your AWS account and it will open the needed url for you.

  • Run the sso command for the first time

In recent aws-cli version it started to ask for SSO session name. Currently island.is accounts doesn't support that and depends on configuring it with the legacy format. So it's important to press Enter without specifing any value in the SSO session name (Recommended): question

aws configure sso

# Press enter without specifing any value for the first question
SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.
SSO start URL [None]: https://island-is.awsapps.com/start
SSO Region [None]: eu-west-1

Then choose the environment of your choice. Likely to be island-is-development01. You will be prompted for the following:

CLI default client Region [eu-west-1]: <Press Enter>
CLI default output format [json]: <Press Enter>
CLI profile name [AWSPowerUserAccess-X]: <Custom name (e.g. islandis-dev)> or <Press Enter>

This step will add the new profile to your ~/.aws/config file. If you choose islandis-dev as profile's name, you will see [profile islandis-dev] in there.

  • Ready to use

You can now pass your profile to the get-secrets script.

AWS_PROFILE=<profile-name> yarn get-secrets <project-name> # e.g. profile-name -> islandis-dev as seen above

Refresh your profile: The SSO credentials only lasts 8 hours, after which AWS commands start failing. You can run the following command to renew your SSO credentials.

aws sso login --profile <profile-name> # e.g. profile-name -> islandis-dev as seen above

It will open the browser, go to your AWS account to log in and will refresh your credentials and you are ready to use the AWS commands again.

Pre-configured AWS profiles: Feel free to copy and paste these to your ~/.aws/config file:

[profile islandis-dev]
sso_start_url = https://island-is.awsapps.com/start
sso_account_id = 013313053092
sso_role_name = AWSPowerUserAccess
sso_region = eu-west-1
region = eu-west-1

[profile islandis-staging]
sso_start_url = https://island-is.awsapps.com/start
sso_account_id = 261174024191
sso_role_name = Secret_Service
sso_region = eu-west-1
region = eu-west-1

[profile islandis-prod]
sso_start_url = https://island-is.awsapps.com/start
sso_account_id = 251502586493
sso_role_name = Secret_Service
sso_region = eu-west-1
region = eu-west-1
[islandis-dev]
credential_process = aws-vault exec islandis-dev --json

# ... do the same thing for your other profiles.

Using AWS session

This method is more manual where you will need to export environments variables or change a file by yourself.

  • Option 1: Set environment variables

You can copy/paste these environment variables to your terminal:

export AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY_ID_EXAMPLE
export AWS_SECRET_ACCESS_KEY=AWS_SECRET_ACCESS_KEY_EXAMPLE
export AWS_SESSION_TOKEN=AWS_SESSION_TOKEN_EXAMPLE

  • Option 2: Edit ~/.aws/credentials

Copy/paste the values in the ~/.aws/credentials file.

[default]
aws_access_key_id = <KEY_ID>
aws_secret_access_key = <ACCESS_KEY>
aws_session_token = <SESSION_TOKEN>

  • Ready to use

In this case you won't need to pass a profile name as opposed to the SSO method.

yarn get-secrets <project-name>

Refresh your profile: The session token only lasts 1 hour, after which AWS commands start failing. You will need to log in to your AWS account and get new credentials, with one of the above methods.

Usage to fetch secrets

You should now be able to fetch secrets for the project you need.

With SSO

AWS_PROFILE=<profile-name> yarn get-secrets <project> [options]

Without SSO

yarn get-secrets <project> [options]

Example:

yarn get-secrets api

You can verify it by opening the .env.secret file at the root, or inside your code using for example:

const { MY_SECRET_KEY } = process.env

You can also add the --reset argument to the command, that will reset the .env.secret file.

Troubleshoot

If you get the following error message, you will need to refresh your credentials as explained above.

An error occurred (ExpiredTokenException) when calling the GetParametersByPath operation: The security token included in the request is expired

Usage to create secrets

You can run the following command and will be prompted for input.

With SSO

AWS_PROFILE=<profile-name> create-secret

Without SSO

yarn create-secret

Only alphanumeric characters, / and - are allowed. The length of the secret name should be from 6-128 characters long.

You will be asked for a secret name that will be added to the /k8s/ secrets namespace, a secret value and the secret type (SecureString or String).

Example

➜ yarn create-secret

Secret name: /k8s/my-app/MY_APP_KEY
# Name: Ok!
# Length: Ok!

Secret value: a-very-secure-secret
# Length: Ok!

SecureString [Y/n]? # [enter] for SecureString
# SecureString selected

Add tags? [y/N]? # [enter] to skip creating tags

Example: Key=Foo,Value=Bar Key=Another,Value=Tag: # note: Key and Value are case sensitive! Create multiple tags by separating with whitespace.

Are you sure [Y/n]? # [enter] to confirm
# Creating secret....

It's recommended to use SecureString in most cases. However, if you need to add an email address, or an email sender's name to the secrets, you can just use a String.

To make this easier we recommend configuring SSO for each AWS account using a different AWS profile (islandis-dev, islandis-staging, islandis-prod). Then you can create a secret in all environments like this:

# If your SSO session is expired and you're not using AWS Vault, you can log into any one profile since they all share the same SSO session.
AWS_PROFILE=islandis-dev aws sso login

AWS_PROFILE=islandis-dev yarn create-secret
AWS_PROFILE=islandis-staging yarn create-secret
AWS_PROFILE=islandis-prod yarn create-secret

Finalizing creating secrets

In order to use the secrets in your app you need to add it to its infra configuration.

  1. Add the new secret to your-app/infra/your-app.ts

  2. Generate helm charts for your app with

yarn charts islandis

  1. Follow the documentation on Config Module

Making dev secrets available locally

Environment variables that should not be tracked but needed locally should be added to the .env.secret file. (NOTE: Each variable must be prefixed with export for direnv to pick them up.)

Additionally, you can fetch secrets configured in a project's infra DSL from the island-is-development01 AWS Parameter Store. Just run yarn get-secrets <project> and they'll be loaded into your .env.secret file.

Environment variables with static websites

Running proxy against development service

AWS Vault: You can use to store and access AWS credentials in your operating system's secure keystore. When requesting credentials from an expired SSO session, it will automatically open a browser window for you to log in again.

Just follow its and configure your ~/.aws/credentials file like this:

You will need to go to your and get the required credentials for the account you need.

Note that this command only creates the secret in one AWS account at a time (eg island-is-development01). To create a secret in all environments, you need to run it with each corresponding AWS account configured, by going through the steps in multiple times.

More about it on the root .

More about it on the root

AWS command line
jq
AWS Vault
installation instructions
AWS account
Using AWS session
README
README