AWS Secrets Manager Integration

In this lab you will perform the following:

  • Create a secret in AWS Secrets Manager that contains your Amazon DocumentDB cluster name, userid, and password.
  • Securely access your Amazon DocumentDB cluster using the sample Python code used in the Introduction module which has been modified to call AWS Secrets Manager.
  • Configure AWS Secrets Manager to automatically rotate your Amazon DocumentDB cluster’s password.

AWS Secrets Manager & Amazon DocumentDB integration overview

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to AWS Secrets Manager API, eliminating the need to hardcode sensitive information in plain text. AWS Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. In addition, AWS Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

Applications can call AWS Secrets Manager to securely access Amazon DocumentDB without storing credentials inside your applications. This protects against credentials getting exposed, for example, by preventing checking in code into external software version control systems like Github. AWS Secrets Manager protects against never rotating credentials too. With a few clicks, you can configure AWS Secrets Manager to rotate these credentials automatically, turning a long-term credential into a temporary credential. Using temporary credentials is an AWS Identity and Access Management (IAM) recommended best practice.

In this lab, you will store a database credential for an Amazon DocumentDB cluster in AWS Secrets Manager, then have a sample Python application access the secret. Finally, you will configure AWS Secrets Manager to rotate this secret automatically.