Awesome
AWS Secrets Manager Hush Provider
This package provides a Hush Provider to resolve Amazon Web Services's Secrets Manager secrets.
Documentation can be found at https://hexdocs.pm/hush_aws_secrets_manager.
Installation
The package can be installed by adding hush_aws_secrets_manager
to your list
of dependencies in mix.exs
:
def deps do
[
{:hush, "~> 1.0"},
{:hush_aws_secrets_manager, "~> 1.1"}
]
end
This module relies on ex_aws
to talk to the AWS API. As such you need to configure it, below is an example, but you can read alternative ways of configuring it in their documentation.
As the provider needs to start ex_aws
application, it needs to registered as a provider in hush
, so that it gets loaded during startup.
# config/config.exs
alias Hush.Provider.AwsSecretsManager
config :ex_aws,
access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}],
secret_access_key: [{:system, "AWS_SECRET_ACCESS_KEY"}]
# ensure hush loads AwsSecretsManager during startup
config :hush,
providers: [AwsSecretsManager]
AWS Authorization
In order to retrieve secrets from AWS, ensure the service account you use has a similar policy as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<region>:<account>:secret:<secret-name>",
"arn:aws:secretsmanager:us-east-1:000000000000:secret:config/password-MzBAO2"
]
}
]
}
Usage
The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.
# config/prod.exs
alias Hush.Provider.AwsSecretsManager
config :app, App.Repo,
password: {:hush, AwsSecretsManager, "CLOUDSQL_PASSWORD"},
pool_size: {:hush, AwsSecretsManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}
License
Hush is released under the Apache License 2.0 - see the LICENSE file.