Search…
AWS Secrets

Prerequisites

  • You will need AWS command line installed.
  • You have jq installed.
    • brew install jq
  • You will also need access to the AWS account. Ask someone from DevOps to send you an invitation.

Getting started

Using AWS SSO

Using SSO is the most straight forward solution. You won't need to go by yourself on your AWS account and it will open the needed url for you.
  • Run the sso command for the first time
1
aws configure sso
2
3
SSO start URL [None]: https://island-is.awsapps.com/start
4
SSO Region [None]: eu-west-1
Copied!
Then choose the environnement of your choice. Likely to be island-is-development01. You will be prompted for the following:
1
CLI default client Region [eu-west-1]: <Press Enter>
2
CLI default output format [json]: <Press Enter>
3
CLI profile name [AWSPowerUserAccess-X]: <Custom name (e.g. dev)> or <Press Enter>
Copied!
This step will add the new profile to your ~/.aws/config file. If you choose dev as profile's name, you will see [profile dev] in there.
  • Ready to use
You can now pass your profile to the get-secrets script.
1
AWS_PROFILE=<profile-name> yarn get-secrets <project-name> # e.g. profile-name -> dev as seen above
Copied!
Refresh your profile: The SSO credentials only lasts 8 hours, after which AWS commands start failing. You can run the following command to renew your SSO credentials.
1
aws configure sso --profile <profile-name> # e.g. profile-name -> dev as seen above
Copied!
It will open the browser, go to your AWS account to log in and will refresh your credentials and you are ready to use the AWS commands again.

Using AWS session

This method is more manual where you will need to export environments variables or change a file by yourself.
You will need to go to your AWS account and get the required credentials for the account you need.
  • Option 1: Set environment variables
You can copy/paste these environment variables to your terminal:
1
export AWS_ACCESS_KEY_ID=AWS_ACCESS_KEY_ID_EXAMPLE
2
export AWS_SECRET_ACCESS_KEY=AWS_SECRET_ACCESS_KEY_EXAMPLE
3
export AWS_SESSION_TOKEN=AWS_SESSION_TOKEN_EXAMPLE
Copied!
  • Option 2: Edit ~/.aws/credentials
Copy/paste the values in the ~/.aws/credentials file.
1
[default]
2
aws_access_key_id = <KEY_ID>
3
aws_secret_access_key = <ACCESS_KEY>
4
aws_session_token = <SESSION_TOKEN>
Copied!
  • Ready to use
In this case you won't need to pass a profile name as opposed to the SSO method.
1
yarn get-secrets <project-name>
Copied!
Refresh your profile: The session token only lasts 1 hour, after which AWS commands start failing. You will need to log in to your AWS account and get new credentials, with one of the above methods.

Usage to fetch secrets

You should now be able to fetch secrets for the project you need.
With SSO
1
AWS_PROFILE=<profile-name> yarn get-secrets <project> [options]
Copied!
Without SSO
1
yarn get-secrets <project> [options]
Copied!
Example:
1
yarn get-secrets api
Copied!
You can verify it by opening the .env.secret file at the root, or inside your code using for example:
1
const { MY_SECRET_KEY } = process.env
Copied!
You can also add the --reset argument to the command, that will reset the .env.secret file.

Troubleshoot

If you get the following error message, you will need to refresh your credentials as explained above.
1
An error occurred (ExpiredTokenException) when calling the GetParametersByPath operation: The security token included in the request is expired
Copied!

Usage to create secrets

You can run the following command and will be prompted for input.
1
yarn create-secret
Copied!
You will be asked for a secret name that will be added to the /k8s/ secrets namespace, a secret value and the secret type (SecureString or String).

Example

1
yarn create-secret
2
3
Secret name: /k8s/my-app/MY_APP_KEY
4
# Name: Ok!
5
# Length: Ok!
6
7
Secret value: a-very-secure-secret
8
# Length: Ok!
9
10
SecureString [Y/n]? # [enter] for SecureString
11
# SecureString selected
12
13
Add tags? [y/N]? # [enter] to skip creating tags
14
15
Example: Key=Foo,Value=Bar Key=Another,Value=Tag: # note: Key and Value are case sensitive! Create multiple tags by separating with whitespace.
16
17
Are you sure [Y/n]? # [enter] to confirm
18
# Creating secret....
Copied!
It's recommended to use SecureString in most cases. However, if you need to add an email address, or an email sender's name to the secrets, you can just use a String.
Only alphanumeric characters, / and - are allowed. The length of the secret name should be from 6-128 characters long.

Making dev secrets available locally

Environment variables that should not be tracked but needed locally should be added to the .env.secret file. (NOTE: Each variable must be prefixed with export for direnv to pick them up.)
Additionally, if that same variable is also stored in AWS Parameter Store, the secret can be labeled with the dev label from History -> Attach labels.
All secrets labeled with the dev label can be fetched using yarn get-secrets <project>.

Environment variables with static websites

More about it on the root README.

Running proxy against development service

More about it on the root README
Last modified 7mo ago