I want to create a secret in secrets manager to be rotated periodically every 30 days but without specifying the end service. Is it possible to remove the setSecret and testSecret sections from my lambda? or will it gives me errors?
Having an empty implementation has worked for me:
def set_secret(service_client, arn, token):
"""Set the secret
This method should set the AWSPENDING secret in the service that the secret belongs to. For example, if the secret is a database
credential, this method should take the value of the AWSPENDING secret and set the user's password to this value in the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
# This is where the secret should be set in the service
pass
Related
I'm trying to incorporate Secret Manager with my projects for security but running into issues setting it up. I currently have a service account in project-b where I downloaded the JSON credential keys and have been using that to access my BigQuery table in my backend code.
My current setup:
I have project-a that uses Cloud Run to host my code.
I have project-b that uses BigQuery to hold some data for me.
From project-a, I'm trying to access the BigQuery table in project-b just like I've been doing with the JSON keys.
I keep running into this error:
PermissionDenied: 403 Permission 'secretmanager.versions.access' denied for resource 'projects/project-b/secrets/stockdata-secret/versions/1' (or it may not exist).
I have assigned the Secret Manager Secret Accessor and Secret Manager Viewer roles to a couple of my accounts but it still doesn't seem to work.
The client_email from the keys is set to the top service account in the screenshot below:
Permissions for the secret
Here is my part of my back-end code:
# Grabbing keys from Secret Manager, got this code from Google docs
def access_secret_version(project_id, secret_id, version_id):
# Create the Secret Manager client.
client = secretmanager.SecretManagerServiceClient()
# Build the resource name of the secret version.
name = f"projects/{project_id}/secrets/{secret_id}/versions/{version_id}"
# Access the secret version.
response = client.access_secret_version(request={"name": name})
payload = response.payload.data.decode("UTF-8")
return payload
---
# Routing to the page
#app.route('/projects/random-page')
def random_page():
payload = access_secret_version("project-b", "stockdata-secret", "1")
# Authenticating service account.
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = payload
# old way, which worked
google_cloud_service_account = "creds.json"
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = google_cloud_service_account
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
We want to set up Username and password authentication with AWS Secrets Manager as per the documentation.
We created a cluster in MSK
Created a secret as well with name AmazonMSK_testmsk2 and with key as Password and Value as { "username": "alice", "password": "alice-secret" }
Still when we associate the secret with MSK we get the error Amazon MSK failed to associate 1 secret for cluster. The provided secret has an invalid schema
The troubleshooting documentation is not of much help either
Turns out you need to use Plaintext form.
This error can occur when one or more pre-requisites for creating the secret has not been followed. There are a few pre-requisites when creating the secret. AWS document for reference. Listing them below for quick access.
Choose Other type of secrets (e.g. API key) for the secret type.
Your secret name must have the prefix AmazonMSK_
Your user and password data must be in the following format to enter key-value pairs using the Plaintext option.
{
"username": "alice",
"password": "alice-secret"
}
In addition to #Sourabh 's answer,
a secret created with the default AWS KMS key cannot be used with an Amazon MSK cluster,
so what you need to do is:
Open the Secrets Manager console.
In Secret name, choose your secret.
Choose Actions, and then choose dropdown list, select the AWS KMS key, select the check box for Create new version of secret with new encryption key, and then choose Save.
that should solve this error
Amazon MSK failed to associate 1 secret for cluster sasl-cluster. Wait
for a few minutes and try again. If the problem persists, see AWS
Support Center . API Response : The provided secret is encrypted with
the default key. You can't use this secret with Amazon MSK.
This is happening because at the time of secret creation you had selected the default aws kms option.
Frist you have to create the new KMS
then you have to update it in secret manager creation time.
After following all you will not get this error.
I wrote a Python script on a function in one account that tries to get a secret value from a second account using boto3 with client.get_secret_value(). However, client.update_secret() only seems to be working for secrets in the same account, not secrets in the second account.
secretUpdated = client.update_secret(
SecretId=’arn for my test secret',
Description='',
KmsKeyId='kms key arn’,
SecretString='the Secret string for my test secret with key values'
)
I get back Access denied but as far as I can tell it should have secretsmanager:UpdateSecret both from the function in the first account and to the secret in the other account with it being set in all the same places I added getsecret (function policy on role and the resource policy on the secret) so I don't know if there are any extra parameters I need to add to the script when it is cross-account?
Secrets can only be accessed/updated in the account associated with the IAM credentials that you are using. (Otherwise, I would be able to view/change the secrets in your account!)
You have two options:
Option 1: Use credentials associated with the 'other' account
Obtain an Access Key and Secret Key for an IAM User in the 'other' account that has permissions to use Secrets Manager. Then, use those credentials with boto3. This can be done in a couple of ways:
Store the credentials as a different profile, using aws configure --profile account2
Then use the profile like this:
import boto3
session = boto3.Session(profile_name='account2')
secrets_client = session.client('secretsmanager')
OR
Pass the credentials to the client with:
import boto3
secrets_client = boto3.client('secretsmanager', aws_access_key_id='AKIAxxx', aws_secret_access_key='xyz')
The secrets_client will then be accessing the other account.
See: Credentials — Boto3 Docs documentation
Option 2: Assume an IAM Role in the 'other' account
Create an IAM Role in the 'other' account and grant it permissions for Secrets Manager
Add a Trust Policy to the IAM Role that allows it to be 'assumed' by the IAM User in your 'normal' account
Using boto3, call assume_role() to assume the IAM Role in the other account
import boto3
from boto3.session import Session
client = boto3.client('sts')
response = client.assume_role(RoleArn='arn:aws:iam::00000000000000:role/example-role`, RoleSessionName='account2')
session = Session(aws_access_key_id='AKIAxxx', aws_secret_access_key='xyz')
secrets_client = session.client('secretsmanager')
See: Switching to an IAM role (AWS API) - AWS Identity and Access Management
IT send me these things:
auth-dev
user name
Access Key ID
Secret Access Key
Password
How to login to aws console please ? this is frustration, a very basic thing, i logged in with different combinations, keep on searching online, just no luck.
I know there's a term: key, secret. What is this secret access key ? cannot we have a unified name for the industry ?
Am i getting too old or what ? why these names are so confusing.
To login to the web-based AWS Management Console, use:
Account ID or Account Alias (identifies your company account)
Username
Password
To make programmatic API calls, use:
Access Key
Secret Access Key
Install the AWS CLI:
aws configure # answer the questions with info you have
aws sts get-caller-identity # find your user name and account ID
aws iam update-login-profile --user-name user-name --password secret
In a browser visit https://account-id.signin.aws.amazon.com/console