AWS Secrets Manager
Who can use this feature?
Organization Owners, Admins, and other users with the secrets:manage
permission
Connect to your AWS Secret Manager to securely access application secrets, API keys, and sensitive data from anywhere in Superblocks. This guide covers:
- How to set up a new secret store connected to AWS Secrets Manager
- Using secrets throughout the Superblocks platform
- Configuring and managing caching for your secret store to improve API performance
Prerequisites
To set up AWS Secret Manager as a secret store for Superblocks you'll need:
- An AWS account with AWS Secrets Manager configured
- Permission to create new IAM policies for your AWS account
Set up
Create IAM policy
Create an IAM policy to grant Superblocks access to the your secrets. Below is an example of a policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": ["arn:aws:secretsmanager:${REGION}:${ACCOUNT_ID}:secret:*"]
},
{
"Effect": "Allow",
"Action": ["secretsmanager:ListSecrets"],
"Resource": "*"
}
]
}
We recommend only granting Superblocks access to the minimum set of secret ARN's your team will use in Superblocks. For added security, create secrets that are prefixed with superblocks/${env}/
to easily identify the secrets used in Superblocks.
Configure secret store
Configure a new secret store in Superblocks:
- Go to the Secrets Management page in Superblocks
- Click the AWS Secrets Manager tile
- Name your secret store
- Specify your store's Prefix. If Superblocks secrets are all named using
superblocks/${env}/
, this will be the corresponding prefix value. - Specify your AWS Region
- Paste the Access Key ID and Secret Access Key for the IAM user Superblocks will act on behalf of.
- Configure caching rules for this store
- Optionally, add more configurations for different environments
- Click Create
Your secret store is now configured. Use it in backend APIs and integration's to reference your secrets.
Using secrets
After configuring your secret store, reference secrets using the {{sb_secrets}}
object. Secrets are accessed from their respective stores using the syntax {{sb_secrets.STORE_NAME.SECRET_NAME}}
.
Secrets are available to reference in Backend APIs and Integrations. Note that for security purposes, secrets cannot be referenced in Frontend JS or Components.
Secrets are fetched at runtime from a particular store based on the API's current Profile.
If your secret is stored as a JSON object in key:value form, use the JavaScript JSON.parse()
function to reference the secret value inside integration forms: {{JSON.parse(sb_secrets.STORE_NAME.SECRET_NAME).SECRET_KEY}}
If your secret includes spaces or special characters, use array notation instead of dot notation to access the secret: {{sb_secrets.STORE_NAME['SECRET_NAME']}}
Caching
If enabled, Superblocks can cache your secrets, reducing calls to your secrets manager and improving API performance when using secrets. Caching can be configured for each of your secret store's configurations, letting you set different policies based on the environment.
To configure caches, go to Secrets Management and click into your secrets store. From here you can:
- Update the Cache TTL (seconds) to your desired caching interval
- Clear the cache if you've rotated a secrets and need Superblocks to refetch secret values
If you're running the On-Premise Agent, secrets are cached in-memory by your agent. For scaled deployments, you'll need to clear each instance's cache individually when rotating secrets.
To rotate secrets more easily, disable caching first. Then, after updating the secret, re-enable caching.