4

I am having a AWS Glue Python script which I am using for connecting to an Aurora Mysql database. For this, I tried to use AWS SecretManager so that I do not have to hardcode the database credentials in the script.

While I am able to successfully use secretmanager and use it in my AWS Glue script to connect to RDS, I see that the credentials are not secret, and if I print the contents of a variable holding the database credentials, I am able to see the passwords, username, etc. in the cloudwatch logs.

Please find herewith the code snippet:

# Getting DB credentials from Secrets Manager
client = boto3.client("secretsmanager", region_name="us-west-2")

get_secret_value_response = client.get_secret_value(
        SecretId="RDS_Dev_Cluster"
)

secret = get_secret_value_response['SecretString']
secret = json.loads(secret)

db_username = secret.get('username')
db_password = secret.get('password')
db_url = secret.get('host')

print db_username
print db_password
print db_url

Is there any way we can encrypt the username/password credentials. Can we use AWS KMS? I haven't tried KMS in this, but would like to get suggestions before using another AWS service. If not, how can we mask the database credentials besides secretmanager.

Thanks

Yuva
  • 2,831
  • 7
  • 36
  • 60

1 Answers1

1

The AWS docs states that AWS Secret Manager always stores the keys encrypted it normally deals with the decryption transparently. When you specify the KMS key that AWS Secret Manager should use. transparently decrypts and returns them to you in plaintext

So basically you are seeing the decrypted result just minus the call you would have to make the the KMS API to decrypt.

halfer
  • 19,824
  • 17
  • 99
  • 186
David Webster
  • 2,208
  • 1
  • 16
  • 27