Menu
EDIT: AS OF Feb 2020, AWS SEEMS TO have FIXED THIS BUG. THE BASE64ing and other wise is no longer needed.
I have my secret stored as a string but of course when aws stores the secret it removes white space and line breaks. On top of it it wraps the value in json.
When I run aws secretsmanager get-secret-value --secret-id my-private-key > private.pem it returns something like.
{
"Name": "ai-data-devops-ansible-deploy-key",
"VersionId": "fedafe24-d3eb-4964-9a8f-7f4ecb375a35",
"SecretString": "-----BEGIN RSA PRIVATE KEY-----\nasdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=\n-----END RSA PRIVATE KEY-----\n",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": 1568147513.11,
"ARN": "arn:aws:secretsmanager:us-east-1:13726472r4:secret:my-private-key-XQuwafs"
}
So I need to:
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----
263
Importing a certificate to the AWS Secrets Manager When creating your Secret in the Secrets Manager, choose Other type of secrets under secret type and paste your PEM encoded certificate in the Plaintext field. To use the Amazon Web Services Documentation, Javascript must be enabled.
Keys are securely encrypted and stored in AWS Secret Manager, which will also rotate the keys and install public keys on all nodes for you. By using this method, you won't have to manually deploy SSH Keys on the various EC2 instances or manually rotate them.
Securely Storing other Secrets with AWS Secrets Manager You may need to securely manage other secrets in addition to AWS access keys, including SSH keys, database credentials, and third-party API keys. AWS Secrets Manager provides a solution for storing, rotating, managing, and retrieving a wide variety of secrets.
Another option would be to base64 encode the PEM for storage:
Encode the key:
$ cat private_key
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----
$ base64 private_key > encoded_private_key
$ cat encoded_private_key
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQphc2RrbW5hc2Vma2xqenNka2ZmanNsZGtnZmpsemttc2RmbGtOT1RBUkVBTEtFWWFzZGRram5zZmRsenhkZnZsa21kZ2dvPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
Get the key back:
$ base64 -D encoded_private_key
-----BEGIN RSA PRIVATE KEY-----
asdkmnasefkljzsdkffjsldkgfjlzkmsdflkNOTAREALKEYasddkjnsfdlzxdfvlkmdggo=
-----END RSA PRIVATE KEY-----
Edit: Assuming the secret is base64 encoded, this would work:
Encode and push:
aws secretsmanager create-secret --name my-private-key --secret-string `base64 private.pem`
Pull and decode:
aws secretsmanager get-secret-value --secret-id my-private-key --query 'SecretString' --output text |base64 -D > private.pem
Doing the --query --output text thing might make it simpler to parse even if you don't want to base64 encode it as well.
200
I came up with a solution that leveraged storing a secret in secrets manager as plain text.
Use the cli to get the secret output as plain text. Now the \n and \s in the text will be converted to the line breaks and spaces they're supposed to be
aws secretsmanager get-secret-value --secret-id privatekey --query
'SecretString' --output text > private.pem
The pem file will now be properly formatted
-----BEGIN RSA PRIVATE KEY-----
MIIG3DCCBM
-----END RSA PRIVATE KEY-----
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
