Skip to content
LoginGet Started

AWS Secrets

Manage AWS SSM and Secrets Manager with CloudTruth

December 1, 2022

When you're working with any secret inside of the cloud or even on-prem, there are a few things you think about:

  • Are the secrets encrypted in transit?
  • Are the secrets encrypted at rest?
  • How easy is it to rotate these secrets?
  • How easy is it to manage these secrets?

The first two questions are easily achievable with any secret store.

The second two aren't.

In this blog post, you'll see the idea behind using a platform like CloudTruth to make storing secrets, retrieving secrets, and rotating secrets easier.

What is SSM

SSM is used by a lot of organizations to make managing and utilizing secrets a bit cheaper. You can utilize parameters and store them as secure strings to ensure that the values are encrypted.

As you can see in the code below, it's a simple command to get a value stored properly.

aws ssm put-parameter \
--name "testparameter" \
--value "SuperSecretPassword" \
--type SecureString

However, there are a few problems with the above.

First, you have to store your original value in plain text. Although it'll be stored securely in AWS, you still have to pass it in via the CLI in an unsecured fashion.

Second, you have to do this for each environment. You're forced to use the CLI for each environment (Dev, Staging, Prod, etc.) or the UI. In any case, it can become incredibly cumbersome.

Third, if you want to rotate secrets (as you should), you must do it for each environment.

Although the command is straightforward, getting the environment with the secrets up and running can be cumbersome, manual, and repetitive.

What is Secrets Manager

Thinking about the next option is AWS Secrets Manager.

Secrets Manager allows you to create, rotate, and store secrets in AWS. However, the same problems as with SSM rises with Secrets Manager.

  • You cannot easily retrieve them for each environment.
  • You have to create multiple secrets that point to every new environment.
  • You have to rotate secrets for multiple environments.

When you're creating a new secret, it'll look something like this.

You'll first log into AWS and go to the Secrets Manager Service.

Next, you'll create a new secret.

 CloudTruth and AWS Secrets Manager 1

When you create the new secret, you'll choose the service you're creating the secret for, along with the values.

CloudTruth and AWS Secrets Manager 2

With this workflow, you have no central location to manage, update, or utilize secrets.

This is where CloudTruth comes into play.

Why Use AWS SSM and Secret Manager with CloudTruth

With CloudTruth, you don't have to worry about using multiple CLI tools or clicking around throughout the AWS UI to get to the service pages for Secrets Manager and SSM. Instead, you have one location, CLI, and API to work with. All your secrets, even outside of AWS, are in one location.

If you're in an environment with on-prem and/or multiple clouds, you don't have to worry about using multiple UIs and CLIs to manage your secrets across environments. Instead, CloudTruth is used as the central hub for every secret.

Let's see how it's done.

First, you'd log into the CloudTruth UI and, under Integrations, click on Explorer.


CloudTruth and AWS Secrets Manager 3

Next, choose the integration path. In this case, it can be AWS.

CloudTruth and AWS Secrets Manager 4

You'd then choose your region.

CloudTruth and AWS Secrets Manager 5

You can see and use secrets in SSM and Secrets Manager under one location.

CloudTruth and AWS Secrets Manager 6

You can then click on a secret to see its value and ensure it's the correct secret to use.

CloudTruth and AWS Secrets Manager 7

After that, you can create a new parameter utilized as a secret.

CloudTruth and AWS Secrets Manager 8

You can then use an external source to fetch the secrets in SSM or Secrets Manager for any configuration you need via CloudTruth.

CloudTruth and AWS Secrets Manager 9

Closing Thoughts

AWS SSM and Secrets Manager are great solutions. They provide "out of the box" value and are used by thousands of organizations. The primary concern is the management aspect of the secrets within SSM and Secrets Manager. You have to click around multiple UIs and use multiple commands to work with them. If you have different cloud or on-prem environments, you have to use multiple tools to manage them.

With CloudTruth, all environments are under one roof. Managed with one UI, one CLI, and one API.

Join ‘The Pipeline’

Our bite-sized newsletter with DevSecOps industry tips and security alerts to increase pipeline velocity and system security.

Subscribe For Free

Continue exploring

Browse All Talks

Continue Reading