Introducing to AWS Secrets Manager Service

AWS Secrets Manager is a service to help you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud, third-party services, and on-premises.

1.1 What is in this article

This article provides a step by step guide on how to use the AWS Secrets Manager in a PHP program

Prerequisites: 

• • Active AWS account is required.

High-level Steps

1. 1. Create a new secret in AWS Secret Manager
   2. Prepare IAM policy, role and access key for authorizing your application
   3. Provision an EC2 with LAMP
   4. Build a GetSecret PHP program to get the secret
   5. Register credential for the program to enable it to access AWS Secret Manager.

2 Step-by-step Guide using AWS Secrets Manager

2.1 Create a new secret in AWS Secret Manager

You can use the AWS Secrets manager console for creating the secrets.

1. 1. Sign in to the console.
      https://console.aws.amazon.com/secretsmanager/

      Or if you’ve already signed in on AWS console, go to the Secrets Manager
      

       

   2. Make sure you select your desired AWS regions. In this document, we’ll use Singapore (ap-southest-1)

       

   3. Click Store a new secret to create a new secret.

       

   4. In Step 1, 
      • Select Other type of secret as the secret type.
        
      • Add the below two key-value pairs
        Key: Username, Value: ProGood
        Key: Password,  Value: HelloThere@Well

         

      • Leave the other as is and click Next.

         

   5. In Step 2,
      • Type in Secret name with dev/app/test.
        

         

      • Leave the other as is and click Next.

         

   6. In Step 3, we leave the value as is without enabling the automatic rotation. Click Next.

       

   7. Click Store to complete the secret creation.

       

   8. Get back to the Secrets, click the reload button and you should see your created secret ready.
      
      
   9. Click your newly created secret to show the details. Scroll to the bottom of the detail page. Record down the secretName (and region) of your secret. You’ll need this in your PHP program.
      

2.2 Prepare IAM policy, role and access key for authorizing your application

To make requests to Amazon Web Services from a PHP program, you need to supply AWS access keys, also known as credentials.

You can do this in the following ways:

• • Use the default credential provider chain (recommended).
  • Use a specific credential provider or provider chain (or create your own).
  • Supply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from AWS STS.
    

In this document, we’re going to use the first approach, i.e. default credential provider chain, and store the credential in a credential file.

To enable a user to call AWS API services, you must create an IAM policy for an IAM user, which controls access to the API Gateway entities, and then attach the policy to the IAM user. The following steps describe how to create your IAM policy.

To create your own IAM policy

1. 1. Open the IAM console at https://console.aws.amazon.com/iam/.
   2. Choose Policies, and then choose Create Policy. If a Get Started button appears, choose it, and then choose Create Policy.
      
   3. You can specify your policy by using the Visual Editor.
      • For Service, search and choose Secrets Manager.
      • For Action, check GetSecretValue under Read.
      • For resources, choose All resources.
        
   4. Alternatively, you can set up your policy in the JSON editor. Select the JSON tab. Then use the below JSON policy code
   5. Click Next:Tags to continue.
      
   6. Keep the setting as is and click Next:Review to continue.
      
   7. For Policy Name, type GetSecretValuewPolicy that is easy for you to refer to later. Optionally, type descriptive text in Description.
      
   8. Click Create:Policy to complete the policy creation.

You have just created an IAM policy. It won’t have any effect until you attach it to an IAM user, to an IAM group containing the user, or to an IAM role assumed by the user.

To create an IAM user for an application with attaching the created IAM policy.

1. 1. Open the IAM console at https://console.aws.amazon.com/iam/.
      
   2. Choose User and click the Add Users button.
      
   3. In step 1:
      • Provide the User name with value app.getSecretValue.
        
      • Check Access key – Programmatic access as the account will be used by the application.
        
      • Choose Next:Permission.
        
   4. In step 2:
      • Choose Attach existing policies directly.
        
      • Search and check the GetSecretValuewPolicy policy created previously.
        
      • Click Next:Tags.
   5. In step 3 and 4, click Next:Review and Create User.
   6. Now, your new user is created. You need to record down your access key ID and secret access key in a safe place. It will be used in the following section.
      Note that this secret access key will never be shown again after this screen.
      

2.3 Provision an EC2 with LAMP

In this section, you’re going to create an EC2 with LAMP. It will be used for developing your PHP page in the later section. LAMP is an open-source software stack that provides a framework for creating PHP-based high-performance websites and applications with ease.

1. 1. Open the EC2 console at https://console.aws.amazon.com/ec2/.
      
   2. Choose Launch Instance.
      
   3. In step 1:
      • From the left navigation pane, choose the AWS Marketplaces tab.
        
      • Type LAMP in the search bar.
        
      • Click Select for the LAMP package by Bitnami.
        
      • Click Continue.
        
   4. In step 2:
   5. Choose t2.micro or t3.micro.
      
      • Click Review and Launch and jump to the last step.
        
      • In the last step, click Launch.
        
   6. In the Key Pair dialog:
      • Choose Create a new key pair.
        
      • Type in the Key pair name with myKey.
        
      • Click the Download Key Pair and store your key-pair in a safe place. You will need this key-pair to connect your EC2 via SSH.
        
      • Click Launch Instance.
        
   7. Head EC2 Console, choose Instances from the navigation bar.
      
   8. Look for the EC2 you’ve just created. Wait for the completion of provisioning.
   9. Look for and note down the public IP of the EC2.

2.4 Build a PHP program to Get the Secret Values

In this section, you’re going to build a PHP program to get the secret values from the AWS Secrets Manager. You’ll need to login to the command console through SSH, install the required AWS SDK for PHP before you can start building your PHP program.

To SSH to your EC2.

1. 1. Use your favorite SSH client to connect to your EC2.
      
      Key-pair file: myKey.pem (Downloaded in the previous section)
      User name: bitnami
      IP <ip>: IP address of EC2 (Noted in the previous section)

   2. If you’re using macOS or Linux, you can use the below command.

To install the AWS SDK for PHP Version 3

You’re going to install AWS SDK for PHP as a dependency via Composer.

Composer is the recommended way to install the AWS SDK for PHP. Composer is a tool for PHP that manages and installs the dependencies of your project.

1. 1. In the SSH command console of your EC2, head to the website folder.
      
   2. Run the following to install AWS SDK for PHP as a dependency.

To prepare the PHP code to get secret values

1. 1. Create a file with name “GetScret.php” and with the below content.
   2. Note that you’ll need to replace the $secretName <arn of your secret> with your recorded value.

2.5 Register the Credential for the PHP Program

In the final step, you’re going to register the AWS access key in a credential file for the PHP program to access the required AWS service.

A credentials file is a plaintext file that contains your access keys. The file must:

• • Be on the same machine on which you’re running your application.
  • Be named credentials.
  • Be located in the .aws/ folder in your home directory.

We use this method in the Get Secret Value code.

Using an AWS credentials file offers the following benefits:

• • Your projects’ credentials are stored outside of your projects, so there is no chance of accidentally committing them into version control.
  • You can define and name multiple sets of credentials in one place.
    
  • You can easily reuse the same credentials among projects.
    
  • Other AWS SDKs and tools support, this same credentials file. This allows you to reuse your credentials with other tools.
    

To prepare the AWS credential

1. 1. Create a .aws folder under the directory /usr/sbin
      sudo su
      mkdir /usr/sbin/.aws
      cd /usr/sbin/.aws

   2. Create a file named credentials with the below content.
      Note: you need to replace your access key id and secret access key, that you recorded in the previous section.
      [default]
      aws_access_key_id = <YOUR_AWS_ACCESS_KEY_ID>
      aws_secret_access_key = <YOUR_AWS_SECRET_ACCESS_KEY>
      
      
   3. Finally, you can check your result by browsing the service you’ve just created. You should see the below result.