0

We are looking to configure our SecretsManager instances via Cloudformation/CDK.

Based on what we've read, SecretsManager recommends using their generate secrets function.

Unfortunately, we can't use the generate secrets function since some of these secrets are values that are generated from 3rd party services. Things like api keys etc.

We are hesitant to put secret values directly onto the CDK code as well, since this is considered bad practice.

What's the recommended approach/pattern for this?

Improve this question

2 Answers 2

Reset to default
1

I create the secret by hand and then hard-code the ARN into the CDK. That way, no secret information is ever checked in, and there is no risk (read: certainty) that CDK will erase the secret.

I do the same with key-pairs for the same reason.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The standard approach is to provision the secrets with AWS CDK and then populate the values by hand after deployment.

Improve this answer

3 Comments

Lets say we populate the secret values via web console after deployment. Would further updates on the stack where the Secrets are situated revert the secret values? Given that the CDK code of Secrets on the said stack is not updated.
@froi No, only an action that caused a "forced replacement" could cause that to happen. However, at work we tend to err on the side of caution and manually create these secrets and tag them extensively to tie them back to a project.
No, replacement is not the only scenario that can result in your value being overwritten - changing the value or the value generation options in the secrets in CDK would overwrite it as well.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.