Considerations Required IAM permissions Create the Secrets Manager secret Update your application to programmatically retrieve Secrets Manager secrets

Retrieve Secrets Manager secrets programmatically

Use Secrets Manager to protect sensitive data and rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Instead of hardcoding sensitive information in plain text in your application, you can use Secrets Manager to store the sensitive data.

We recommend this method of retrieving sensitive data because if the Secrets Manager secret is subsequently updated, the application automatically retrieves the latest version of the secret.

Create a secret in Secrets Manager . After you create a Secrets Manager secret, update your application code to retrieve the secret.

Considerations

Review the following considerations before securing sensitive data in Secrets Manager.

Only secrets that store text data, which are secrets created with the SecretString parameter of the CreateSecret API, are supported. Secrets that store binary data, which are secrets created with the SecretBinary parameter of the CreateSecret API are not supported.
Use interface VPC endpoints to enhance security controls. You must create the interface VPC endpoints for Secrets Manager. For information about the VPC endpoint, see Create VPC endpoints in the AWS Secrets Manager User Guide.
The VPC your task uses must use DNS resolution.

Required IAM permissions

To use this feature, you must have the Amazon ECS task role and reference it in your task definition. For more information, see Amazon ECS task role.

To provide access to the Secrets Manager secrets that you create, manually add the following permission to the task execution role. For information about how to manage permissions, see Adding and Removing IAM identity permissions in the IAM User Guide.

secretsmanager:GetSecretValue– Required if you are referencing a Secrets Manager secret. Adds the permission to retrieve the secret from Secrets Manager.

The following example policy adds the required permissions.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name"
      ]
    }
  ]
}

Create the Secrets Manager secret

You can use the Secrets Manager console to create a secret for your sensitive data. For information about how to create secrets, see Create an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.

Update your application to programmatically retrieve Secrets Manager secrets

You can retrieve secrets with a call to the Secrets Manager APIs directly from your application. For information, see Retrieve secrets from AWS Secrets Manager in the AWS Secrets Manager User Guide.

To retrieve the sensitive data stored in the AWS Secrets Manager, see Code examples for AWS Secrets Manager using AWS SDKs in the AWS SDK Code Examples Code Library.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Passing sensitive data to a container

Retrieve AWS Systems Manager Parameter Store parameters programmatically