Securely Storing and Retrieving Environment Variables in Node.js with AWS Secrets Manager and KMS using Terraform
Recently at work I had run into a requirement of having to store & retrieve the value of an environment variable securely using AWS.
The environment secret should be encrypted at rest and in transit and only be decrypted at run time by the application.
In this blog post, we will explore how to use Node.js with AWS Secrets Manager and AWS KMS to store and retrieve environment variables securely. We will also use Terraform to set up the necessary AWS resources.
AWS Secrets Manager
AWS Secrets Manager is a service that allows you to store and retrieve secrets such as database credentials, API keys, and other sensitive information. Secrets Manager encrypts and stores secrets using AWS KMS and allows you to control access to secrets using IAM policies. Secrets Manager also provides automatic rotation of secrets to improve security.
AWS KMS
AWS KMS is a service that allows you to create and manage encryption keys for your AWS resources. KMS can be used to encrypt data at rest and in transit, and can also be used to encrypt environment variables stored in AWS Secrets Manager.
Node.js with AWS Secrets Manager and AWS KMS
To use AWS Secrets Manager and AWS KMS with Node.js, we need to install the AWS SDK for Node.js:
npm install aws-sdk
Next, we can use the following code to fetch a secret from AWS Secrets Manager and decrypt it using AWS KMS:
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();
const kms = new AWS.KMS();
async function getSecret(secretName) {
const params = {
SecretId: secretName
};
const response = await secretsManager.getSecretValue(params).promise();
const ciphertext = response.SecretBinary;
const decrypted = await kms.decrypt({ CiphertextBlob: ciphertext }).promise();
return decrypted.Plaintext.toString('utf-8');
}
// Usage
const MY_ENV_VAR = await getSecret('my-app/dev/my-secret');
console.log(MY_ENV_VAR);
In this example, we are using the getSecretValue
method of the secretsManager
object to fetch the secret with the name my-app/dev/my-secret
from AWS Secrets Manager. The SecretBinary
property of the response object contains the ciphertext value of the secret. We then use the decrypt
method of the kms
object to decrypt the ciphertext value. The Plaintext
property of the response object contains the decrypted plaintext value of the secret.
Terraform
To set up the infrastructure using Terraform, we can use the following code:
resource "aws_kms_key" "my_kms_key" {
description = "Encryption key for my secrets"
}
resource "aws_secretsmanager_secret" "my_secret" {
name = "my-app/dev/my-secret"
kms_key_id = aws_kms_key.my_kms_key.id
}
resource "aws_secretsmanager_secret_version" "my_secret_version" {
secret_id = aws_secretsmanager_secret.my_secret.id
secret_binary = base64encode("my-secret-value")
}
In this example, we are creating an encryption key using the aws_kms_key
resource. We are also creating a secret with the name my-app/dev/my-secret
using the aws_secretsmanager_secret
resource and specifying the kms_key_id
property to use the encryption key we created earlier. We are also creating a secret version using the aws_secretsmanager_secret_version
resource with the base64-encoded ciphertext value my-secret-value
. Note that the ciphertext value should be replaced with the actual ciphertext value.
IAM Permissions
This wouldn’t be an article about AWS without mentioning the roles IAM play in this use case. In order for the nodejs code to successfully work and execture API calls to the Secrets Manager and KMS services you will need the an IAM role with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecretsManagerPermissions",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets"
],
"Resource": "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>"
},
{
"Sid": "KMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:<region>:<account-id>:key/<key-id>"
}
]
}
Conclusion
In this blog, we explored how to use Node.js with AWS Secrets Manager and AWS KMS to securely store and retrieve environment variables. We also used Terraform to set up the necessary AWS resources. By using AWS Secrets Manager and AWS KMS, we can ensure that our secrets are encrypted and secure, and we can control access to them using IAM policies. This approach also allows us to automatically rotate our secrets to improve security.
Using AWS Secrets Manager and AWS KMS with Node.js is simple and straightforward. We can use the AWS SDK for Node.js to fetch secrets from Secrets Manager and decrypt them using KMS. With Terraform, we can easily create the necessary AWS resources to store our secrets.
I hope this blog post was helpful in understanding how to use AWS Secrets Manager and AWS KMS with Node.js to securely store and retrieve environment variables. If you have any questions or feedback, please leave a comment below. Thank you for reading!