Storing AI API Keys Using AWS Secrets Manager

Question

Pulumi · Accepted Answer

AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. The AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

We'll be using Pulumi with the aws.secretsmanager.Secret class provided by the pulumi_aws Python SDK to create a new secret. This resource allows you to create and manage a secret in AWS Secrets Manager.

Below is a Pulumi program in Python that defines a secret stored within AWS Secrets Manager. This secret could be an API key that your application or infrastructure will use.

import pulumi
import pulumi_aws as aws

# Defining a new secret to store your AI API keys.
ai_api_key_secret = aws.secretsmanager.Secret("aiApiKeySecret",
    description="AI API Key",
    # If you need to tag the secret you can do so by uncommenting the following lines
    # tags={
    #     "Environment": "Production",
    #     "Application": "AI Service"
    # }
)

# As it is recommended by AWS to avoid placing secret values directly in your code,
# you should use the AWS console or the AWS CLI to set the actual value of the secret.
# This resource simply creates the secret and enables you to manage it via Pulumi.

# This will output the ARN of the secret which you can later retrieve and use in your applications.
pulumi.export('ai_api_key_secret_arn', ai_api_key_secret.arn)

This Pulumi program only creates the secret's metadata and does not actually populate the secret with the API key value. As a security best practice, you should avoid hardcoding secret values in your infrastructure code.

After running this Pulumi program, you will have a secret created in AWS Secrets Manager, and you will receive an ARN for that secret. You can then use the AWS Console or the AWS CLI to set the value of the secret safely.

Here's how you can set the secret's value after creating it:

Via the AWS Management Console:
- Navigate to the AWS Secrets Manager console.
- Locate the secret created by Pulumi (using the ARN from the Pulumi output).
- On the secret details page, select "Retrieve secret value".
- Click on "Edit" and enter the secret value (your API key).
Via the AWS CLI:
- Run the following command, replacing <SECRET_ARN> with the ARN from the Pulumi output and <API_KEY_VALUE> with your actual API key:

aws secretsmanager put-secret-value --secret-id <SECRET_ARN> --secret-string "<API_KEY_VALUE>"

Remember to handle the API key with care and only share the details with authorized users within your organization.