AI Development Environment Secrets Governance with AWS Secrets Manager

Question

Pulumi · Accepted Answer

AWS Secrets Manager is a service that enables you to store, manage, and retrieve secrets, such as database credentials or API keys, securely. It's particularly useful in development environments where managing secrets securely can be challenging. Secrets Manager provides encryption at rest and in transit, fine-grained access control, and automatic rotation of secrets.

To use AWS Secrets Manager within your development environment with Pulumi, you'll need to define a few resources:

1. `Secret`: The primary resource that stores the encrypted secret. You can optionally define properties such as description, tags, and KMS key ID for encryption.
   
2. `SecretPolicy`: This resource defines access policies for your secret. You can specify which IAM roles or users can access this secret and under what conditions.
   
3. `SecretVersion`: This resource is used to add a new version of the secret when you want to update the value.

Now, let's create a Pulumi program to implement secrets governance using AWS Secrets Manager.

First, we'll define a secret with the necessary metadata:

```python
import pulumi
import pulumi_aws as aws

# Create a new secret
my_secret = aws.secretsmanager.Secret("MySecret",
    description="My development environment secret.",
    tags={
        "Environment": "Development"
    })

# Output the ARN of the secret
pulumi.export('secret_arn', my_secret.arn)
```

In this block, we've created a new secret called "MySecret" with a descriptive tag. We've then exported the ARN so that it can be retrieved and used in other parts of our Pulumi program or by other Pulumi stacks.

Here's how you might configure a policy to control access to this secret:

```python
# Define a secret access policy
secret_policy = aws.secretsmanager.SecretPolicy("MySecretPolicy",
    secret_arn=my_secret.arn,
    policy=pulumi.Output.from_input("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyRole"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}
"""))
```

In this policy, we allow an IAM role with the ARN `arn:aws:iam::123456789012:role/MyRole` to get the value of the secret.

Lastly, if the value of the secret changes, you may want to add a new version of it to record the changes:

```python
# Add a secret version with a secret string
my_secret_version = aws.secretsmanager.SecretVersion("MySecretVersion",
    secret_id=my_secret.id,
    secret_string="my-super-secret-value")
```

Here, we've added a new version to the "MySecret" secret with the value "my-super-secret-value".

Now, let's put it all together into a full Pulumi program.

```python
import pulumi
import pulumi_aws as aws

# Create a new secret
my_secret = aws.secretsmanager.Secret("MySecret",
    description="My development environment secret.",
    tags={
        "Environment": "Development"
    })

# Output the ARN of the secret
pulumi.export('secret_arn', my_secret.arn)

# Define a secret access policy
secret_policy = aws.secretsmanager.SecretPolicy("MySecretPolicy",
    secret_arn=my_secret.arn,
    policy=pulumi.Output.from_input("""
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/MyRole"
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*"
    }
  ]
}
"""))

# Add a secret version with a secret string
my_secret_version = aws.secretsmanager.SecretVersion("MySecretVersion",
    secret_id=my_secret.id,
    secret_string="my-super-secret-value")

# Output the version id of the secret
pulumi.export('secret_version_id', my_secret_version.id)
```

This Pulumi program will create a secret in AWS Secrets Manager, set a policy for accessing that secret, and set an initial version of the secret string. When executed, it will provision the resources as outlined and provide output parameters for the ARN of the secret and the ID of the secret version.

The use of `pulumi.export` allows relevant information to be made readily accessible after the Pulumi program is deployed, which can be valuable for CI/CD workflows and for integrating Pulumi with other systems.

For more details on the resources used in this program, you can visit the following documentation:

- [`aws.secretsmanager.Secret`](https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/)
- [`aws.secretsmanager.SecretPolicy`](https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secretpolicy/)
- [`aws.secretsmanager.SecretVersion`](https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secretversion/)

Always be sure to secure your secret strings and handle them safely within your Pulumi program to prevent accidental exposure.