1. Answers
  2. Storing API keys for a Vercel-deployed application

How do I store API keys for a Vercel-deployed application?

In this guide, we will demonstrate how to securely store API keys for a Vercel-deployed application using AWS Secrets Manager with Pulumi. AWS Secrets Manager allows you to store, manage, and retrieve secrets securely. We will create a secret to store the API key and grant the necessary permissions for Vercel to access this secret.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an AWS Secrets Manager secret to store the API key
const apiKeySecret = new aws.secretsmanager.Secret("apiKeySecret", {
    description: "API key for Vercel-deployed application",
});

// Store the actual API key value in the secret
const apiKeyValue = new aws.secretsmanager.SecretVersion("apiKeyValue", {
    secretId: apiKeySecret.id,
    secretString: pulumi.secret("your-api-key-value"), // Replace with your actual API key value
});

// Create an IAM Policy that grants read access to the secret
const secretAccessPolicy = new aws.iam.Policy("secretAccessPolicy", {
    description: "Policy to allow Vercel to access the API key secret",
    policy: apiKeySecret.arn.apply(arn => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "secretsmanager:GetSecretValue",
                ],
                Resource: arn,
            },
        ],
    })),
});

// Create an IAM Role for Vercel with the above policy attached
const vercelRole = new aws.iam.Role("vercelRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    Service: "vercel.com", // Replace with the actual Vercel service principal if available
                },
                Action: "sts:AssumeRole",
            },
        ],
    }),
});

new aws.iam.RolePolicyAttachment("vercelRolePolicyAttachment", {
    role: vercelRole.name,
    policyArn: secretAccessPolicy.arn,
});

// Export the secret ARN and IAM Role ARN for use in Vercel configuration
export const secretArn = apiKeySecret.arn;
export const vercelRoleArn = vercelRole.arn;

Key Points

  • We created an AWS Secrets Manager secret to store the API key.
  • We stored the actual API key value in the secret.
  • We created an IAM policy that grants read access to the secret.
  • We created an IAM role for Vercel and attached the policy to this role.
  • We exported the secret ARN and IAM role ARN for use in Vercel configuration.

Summary

In this guide, we demonstrated how to securely store API keys for a Vercel-deployed application using AWS Secrets Manager with Pulumi. We created a secret to store the API key, set up an IAM policy and role to grant access, and exported the necessary ARNs for Vercel configuration. This ensures that your API keys are stored securely and can be accessed by Vercel when needed.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up