Step 3 - Replace hardcoded credentials

In this exercise we will use AWS Secrets Manager to easily manage and retrieve credentials i.e., username/passwords, API Keys and other secrets through their Lifecyle.

As a Pre-requisite this lab requires Amazon Relational Database Service (RDS) MySQL server, Amazon Elastic Container Service (ECS) cluster (with a container-based application), Amazon Elastic Container Registry (ECR).

  1. From the AWS console, click Services and select Secrets Manager.

  2. On the Secrets Manager console click on Store a new secret.

  3. On ‘Store a new secret’ screen click on Select the Credentials for RDS database radio button.

secrm_01.png

  1. Enter the values for User name and Password fields respectively.

  2. Select DefaultEncryptionKey in the dropdown menu.

  3. Scroll down to the bottom of the page and you will see a list of your RDS instances. Select the RDS instance for which you want to store the secret.

secrm_02.png

  1. Click Next.

  2. Enter a name for the secret and provide optional description.

secrm_03.png

  1. Click Next.

  2. On ‘Configure automatic rotation’ screen leave the default values as is i.e., Disable automatic rotation, click Next.

  3. On the Review screen, click Store. You will see a message saying that your secret has been successfully stored.

  4. Now click the Secret name that you have just created.

  5. Copy the Amazon Resource Name or ARN for later use.

secrm_04.png

  1. From the AWS console, click Services and select Elastic Container Service.

  2. Select the Clusters menu item to view the stack that you want to configure.

secrm_05.png

  1. Click the Task Definitions menu item.

  2. Click the check box next to the appropriate task definition name and then click Create new revision.

secrm_06.png

  1. Leave all of the current values in place. Scroll down and click Configure via JSON.

secrm_07.png

  1. Look for the list named secrets. It should have null value for now i.e., ““secrets”:null,”

  2. Edit text and insert the copied ARN of the secret that was created earlier i.e., smsdemo, as shown below.

 "secrets": [
 {
 "valueFrom" :"<paste the ARN you copied earlier">
 "name": :TASKDEF_SECRET"
 }
			]

secrm_08.png

  1. Click Save to save the revised JSON definition.

  2. Click Create to create the new revision of the Task Definition that includes the JSON revisions.

  3. You will see a message saying that the new revision has been created. Notice that the revision has a version number attached to it as shown in the figure below.

secrm_09.png

For more information please read the AWS User Guide: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html