AWS Secrets
Last updated
Was this helpful?
Last updated
Was this helpful?
You will need installed.
You have installed.
brew install jq
You will also need access to the AWS account. Ask someone from DevOps to send you an invitation.
Using SSO is the most straight forward solution. You won't need to go by yourself on your AWS account and it will open the needed url for you.
Run the sso command for the first time
In recent aws-cli version it started to ask for SSO session name. Currently island.is accounts doesn't support that and depends on configuring it with the legacy format.
So it's important to press Enter
without specifing any value in the SSO session name (Recommended):
question
Then choose the environment of your choice. Likely to be island-is-development01
. You will be prompted for the following:
This step will add the new profile to your ~/.aws/config
file. If you choose islandis-dev
as profile's name, you will see [profile islandis-dev]
in there.
Ready to use
You can now pass your profile to the get-secrets
script.
This method is more manual where you will need to export environments variables or change a file by yourself.
Option 1: Set environment variables
You can copy/paste these environment variables to your terminal:
Option 2: Edit ~/.aws/credentials
Copy/paste the values in the ~/.aws/credentials
file.
Ready to use
In this case you won't need to pass a profile name as opposed to the SSO method.
You should now be able to fetch secrets for the project you need.
With SSO
Without SSO
Example:
You can verify it by opening the .env.secret
file at the root, or inside your code using for example:
You can also add the --reset
argument to the command, that will reset the .env.secret file.
If you get the following error message, you will need to refresh your credentials as explained above.
You can run the following command and will be prompted for input.
With SSO
Without SSO
Only alphanumeric characters, /
and -
are allowed. The length of the secret name should be from 6-128 characters long.
You will be asked for a secret name that will be added to the /k8s/
secrets namespace, a secret value and the secret type (SecureString
or String
).
In order to use the secrets in your app you need to add it to its infra
configuration.
Add the new secret to your-app/infra/your-app.ts
Generate helm charts for your app with
Follow the documentation on Config Module
Environment variables that should not be tracked but needed locally should be added to the .env.secret
file. (NOTE: Each variable must be prefixed with export
for direnv to pick them up.)
Additionally, you can fetch secrets configured in a project's infra DSL from the island-is-development01
AWS Parameter Store. Just run yarn get-secrets <project>
and they'll be loaded into your .env.secret
file.
AWS Vault: You can use to store and access AWS credentials in your operating system's secure keystore. When requesting credentials from an expired SSO session, it will automatically open a browser window for you to log in again.
Just follow its and configure your ~/.aws/credentials
file like this:
You will need to go to your and get the required credentials for the account you need.
Note that this command only creates the secret in one AWS account at a time (eg island-is-development01
). To create a secret in all environments, you need to run it with each corresponding AWS account configured, by going through the steps in multiple times.
More about it on the root .
More about it on the root