4.15. Secrets#

You can expose secrets such as usernames and password to SEP by using environment variables.

The AWS secrets manager (ASM) can store and manage the secrets.

Create a secrets document in ASM using the following format:

  "secrets": [
      "name": "secretName0",
      "value": "secretValue0",
      "description": "secretDescription0"
      "name": "secretName1",
      "value": "secretValue1",
      "description": "secretDescription1"

A small script can retrieve the file from ASM, extract the secrets and expose them as environment variables.

#!/usr/bin/env bash
# A simple script utilizing the AWS CLI v2 and ASM
# $1 = id of the secret in ASM, which is a JSON document

aws secretsmanager get-secret-value \
--secret-id ${1} \
--query SecretString --output text | \
jq -r '.secrets[] | "export " + .name + "=\"" + .value + "\""'

The script produces the following output with the above secrets file.

export secretName0=secretValue0
export secretName1=secretValue1

Embed the commands from the script into a bootstrap script and ensure that your EC2 machines are granted access to ASM and run it within the same region.

As a result your secrets are exposed as environment variables and can therefore be used in catalog files and wherever else you want to use secrets.

You can also use the script, for example $HOME/bin/secrets-as-envars, manually for testing. Call it directly or from your shell startup script, such as $HOME/.bashrc:

eval $($HOME/bin/secrets-as-envars)