Skip to main content

Authenticate using credentials in AWS Secrets Manager

When configuring Superblocks integrations that connect to your databases and APIs, you may prefer to pull credentials from your own secrets manager instead of inputting them directly into the integration form*. This is possible through the "fetch credentials dynamically" setting, which allows you to connect an integration configuration to a Superblocks Workflow that retrieves credentials. Let's walk through an example showing how to do this with AWS Secrets Manager.

note

*Even when configuring credentials directly on an integration form, those credentials are securely stored in a secrets manager on the Superblocks Cloud (Vault). See our security guide for more information.

On this page:

  1. Store secret in AWS Secrets Manager
  2. Create Superblocks workflow to fetch secret
  3. Configure integration to use workflow

Store secret in AWS Secrets Manager

Store a new secret in AWS Secrets Manager if you don't already have one created. Here we'll store credentials for our Postgres Database and call the secret postgresSecrets.

Create Superblocks workflow to fetch secret

Next, we'll create a a workflow called getSecrets. It includes a Python step that uses the boto3 library to connect to AWS Secrets Manager and gets the secret value for the provided secret name, postgresSecrets in our example.

Note, here we've installed the On-Premise Agent so that the AWS Access Key ID and AWS Secret Access Key are stored locally in the agent as environment variables (SUPERBLOCKS_AGENT_APP_ENV_AWS_ACCESS_KEY_ID and SUPERBLOCKS_AGENT_APP_ENV_AWS_SECRET_ACCESS_KEY). We can reference those in the Python step as Env.aws_access_key_id and Env.aws_secret_access_key.

Full code snippet below

import boto3
import json
import base64
from botocore.exceptions import ClientError

# Replace <SECRET_NAME> and <REGION>
secret_name = "<SECRET_NAME>"
region_name = "<REGION>"
aws_access_key_id = Env.aws_access_key_id
aws_secret_access_key = Env.aws_secret_access_key

# Create a Secrets Manager client
session = boto3.session.Session()
client = session.client(
service_name='secretsmanager',
region_name=region_name,
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key
)

# In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
# See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
# We rethrow the exception by default.
try:
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
except ClientError as e:
if e.response['Error']['Code'] == 'DecryptionFailureException':
# Secrets Manager can't decrypt the protected secret text using the provided KMS key.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InternalServiceErrorException':
# An error occurred on the server side.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidParameterException':
# You provided an invalid value for a parameter.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'InvalidRequestException':
# You provided a parameter value that is not valid for the current state of the resource.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
elif e.response['Error']['Code'] == 'ResourceNotFoundException':
# We can't find the resource that you asked for.
# Deal with the exception here, and/or rethrow at your discretion.
raise e
else:
# Decrypts secret using the associated KMS key.
# Depending on whether the secret is a string or binary, one of these fields will be populated.
if 'SecretString' in get_secret_value_response:
secret = get_secret_value_response['SecretString']
else:
decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary'])

return json.loads(secret)

Configure integration to use workflow

Lastly, configure the Postgres integration in Superblocks to use the credentials based on the output of this workflow.

  1. Enable "Fetch credentials dynamically" and choose the Workflow (getSecrets in our example).
  2. Run the Workflow to verify the results.
  3. Add credentials to the rest of the form based on the Workflow results. For example, {{getSecrets.response.host}} and {{getSecrets.response.password}}.

Now whenever you run a query in Superblocks to this Postgres instance, the agent will execute this workflow first to populate secret values from AWS Secrets Manager, and use those to connect to your database.