Platform Engineers

Using SOPS with AWS Secrets Manager for Secure Secret Management

Platform Engineers's photo
Platform Engineers
·

2 min read

Managing secrets securely is a critical task in infrastructure management. One effective approach is to combine the use of AWS Secrets Manager (ASM) with Mozilla's SOPS (Secrets OPerationS) tool. This blog post will delve into the technical details of integrating SOPS with AWS Secrets Manager to ensure secure storage and retrieval of secrets.

AWS Secrets Manager Overview

AWS Secrets Manager is a service designed to manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles. It helps improve security by eliminating the need for hard-coded credentials in application source code. Instead, credentials are stored in Secrets Manager and retrieved dynamically when needed, reducing the risk of compromise.

SOPS Overview

SOPS is an editor of encrypted files that supports various formats, including YAML, JSON, ENV, INI, and BINARY. It encrypts files using AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. SOPS is particularly useful in managing secrets securely by preventing unencrypted files from lingering on local file systems.

Integrating SOPS with AWS Secrets Manager

To integrate SOPS with AWS Secrets Manager, follow these steps:

Step 1: Create an Encrypted File with SOPS

Use SOPS to create a new encrypted file using an AWS KMS key. This ensures that the file is encrypted securely and can be committed to a source repository without exposing the secrets.

$ sops edit --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml

Step 2: Decrypt the File in Terraform

To use the encrypted file in Terraform, utilize the SOPS Terraform provider by carlpett. This provider can read the encrypted file into a Terraform variable.

terraform {
  required_providers {
    sops = {
      source = "carlpett/sops"
      version = "= 0.6.3"
    }
  }
}

data "sops_file" "primary" {
  source_file = "${path.module}/secrets.encrypted.json"
  input_type = "raw"
}

locals {
  secrets_primary = yamldecode(data.sops_file.primary.raw)
}

Step 3: Create a Secret in AWS Secrets Manager

Use the decrypted secret to create a Secret within AWS Secrets Manager. This ensures that the secret is stored securely and can be accessed dynamically.

resource "aws_secretsmanager_secret" "secret" {
  name_prefix = "example-"
  description = var.description
}

resource "aws_secretsmanager_secret_version" "secret" {
  secret_id = aws_secretsmanager_secret.secret.id
  secret_string = local.secrets_primary.example-user.password
}

Step 4: Secure Access to the Secret

Add an IAM policy to secure access to the secret. This ensures that only authorized users or services can access the secret.

Conclusion

Using SOPS with AWS Secrets Manager provides a robust solution for managing secrets securely. By encrypting files with SOPS and storing them in AWS Secrets Manager, you can ensure that secrets are protected from unauthorized access. This integration is particularly useful in Platform Engineering, where secure secret management is crucial.