For sensitiv data like access tokens, database URIs, passwords and more we use AWS Secret Manager as a central and secure storage. NEVER upload sensitive data unencrypted to GitHub or others.
Read the full tutorial in my Medium Article
To use AWS Secret Manager you need a bunch of tools:
- AWS CLI 2
- Used for connecting to AWS Secret Manager
- Homebrew and jq installed
- Great package manager for Mac OS
- jq is used for processing JSON in command-line interface
If you just cloned the project for the first time, make sure your aws-cli is
configured (aws configure command) and run
make setupto fetch the required (development) secrets to your local machine.
In this project we are using eu-central-1 as our AWS region. If you want to use another region you have to change --region eu-central-1 to --region YOUR-REGION-HERE in ./aws-secrets/fetchSecretsLocally.sh.
Also note that you change your secret id to the secret id you chose in AWS Secret Manager --secret-id "YOUR_SECRET_ID" in ./aws-secrets/fetchSecretsLocally.sh.
| Command | Description |
|---|---|
| make setup | Fetches Secrets and creates .env.development file with injected secrets if no .env.development file exists |
| make update | Updates created .env.development file with freshly fetched secrets from AWS Secret Manager |
| make remove | Removes .env.development |
Edit the .env.example file and add the key and a placeholder value.
You want to add a variable named MY_NEW_VAR with value hello-world
Your value must have the prefix <PLACE_ and suffix _HERE>
Example .env.example:
MY_NEW_VAR=<PLACE_MY_NEW_VAR_HERE>After you added the variable to the .env.example head into AWS Management console (eu-central-1) and navigate to Secrets Manager. Select the Secret you want to add the variable to (dev, stg, prod or all of them) and add the key and value. In this case add MY_NEW_VAR as the key and hello-world as value.
Afterwards you can run make update or make setup
- Remove the variable and value from
.env.example - Open AWS Management console (eu-central-1) in your browser and navigate to
Secrets Manager - Select the environment you want to remove the variable from and remove it.
- Run
make updateto update your.env.developmentfile - If everything works fine create a branch and push code to GitHub and notify other developers. Otherwise we head into an inconsistant code base
- Never implement secret values without the Secret Manager
- Always make sure that you remove the correct variable from Secret Manager
- Push your changes to GitHub and notify other developers
- Choose the right AWS region when you use the AWS Management Console or configure you AWS CLI