A Secrets resource provides authorized cloud resources access to the Environment Secrets defined for the stack's current deployment environment. The Secrets resource is backed by AWS Secrets Manager.
A secret is any sensitive data, like credentials or connection details, that is required to access or configure secured resources within a stack. A secured resource is a resource within your stack whose access is controlled by an Environment Secret.
The secrets that can be accessed in an environment can be viewed or updated by navigating to Environments and selecting the appropriate environment. The Environment Secrets section allows administrators and developers to create, update, or delete environment secrets.
Examples of Secrets include:
- Database Credentials
- User Passwords
- API Keys
- OAuth Tokens
- Third-Party Account Credentials
Service discovery wires (dashed line) provide compute resources (Function, Edge Function, Docker Task) with the permissions and environment variables required to perform actions using cloud resources within the stack. This resource is on the receiving end of a service discovery wire originating from compute resources.
The following compute resources can use a service discovery wire to access a Secrets resource:
- Docker Task
Storage and Encryption
Environment Secrets are encrypted using AWS Key Management Service. Stackery uses the default AWS KMS key of the account to encrypt the secret at rest. The default KMS encryption key does not incur charges.
A Function or Docker Task resource extends a service discovery wire (dashed line) to connect to a Secrets resource.
When one of the above compute resources are connected to a Secrets resource via a service discovery wire, the following IAM permissions policy is automatically added to that compute resource's Permissions property:
This policy gives the compute resource permission to retrieve the values stored within the current environment's secrets section. (Environments navigation tab > Environment Secrets)
Environment Secrets retrieval is accomplished within the Function's handler file (i.e. index.js for Node.js). Refer to Stackery Environments Secrets for usage and examples of retrieving secrets.
Secrets can be up to 4096 characters. If they require more than 4096 characters, you can split it between two secrets and concatenate them back together before using them (in the handler)
When connected by a service discovery wire (dashed wire), a Function, Edge Function, or Docker Task will add the following IAM policy to its role and gain permission to access this resource.
Related AWS Documentation
AWS Documentation: AWS Secrets Manager