AWS Secrets Management

Release's integration with AWS for secrets management let's you use and manage secrets using either AWS Secrets Manager or AWS Systems Manager Parameter Store. This integration allows you to bulk load a group of secrets into your services and/or jobs based on a pattern.

Prerequisites

Before you begin, ensure you have:

  1. Access to a Release environment with Kubernetes clusters configured.

  2. You have stored your secrets in the same region as the cluster/s Release is managing

  3. Decide on the pattern you would like Release to use and create secrets following this pattern.

Setting up your App and/or Environment configuration

secrets:
- name: default-secrets
  type: aws
  pattern: /Release/Secrets/Defaults/* #default secrets that many services need
- name: backend-secrets
  type: aws
  pattern: /Release/Secrets/Backend/* #only backend specific secrets

Name and type are pretty self explanitory, but the pattern is what makes the integration work. The pattern tells Release which secrets to pull into your services and/or jobs. In order for Release to utilize your secrets the pattern needs to match your naming scheme of your secrets.

The pathing you use in the name of the secret is up to you, but it must follow the form of: /Something/More/MoreStuff/* or /Something/*, etc. The only requirments are * Use "/"s to delineate; you can use any number of "/"s, but at least 1 is required * Include an asterisk (*) at the end.

For the example up above secrets named like:

  • /Release/Secrets/Defaults/TEST_SECRET0 #would be included in the default list

  • /Release/Secrets/Backend/BACKEND_TEST_SECRET0 #would be included in the backend list

  • SOME_SECRET #would not be automatically included in any list

The name of the secrets in your containers will only be the characters after the last '/'. A secret with a key or name like: /Release/Secrets/Defaults/TEST_SECRET0 will be TEST_SECRET0 in your containers. The preceding path (/Release/...) will be ommitted.

Using the secrets in your services and job definitions

services:
- name: rails
  image: github-org/rails
  secrets_from:
  - default-secrets #include default secrets
  - backend-secrets #include backend secrets

- name: ai-chatbot
  image: github-org/ai-chatbot
  secrets_from:
  - default-secrets #include only default secrets

jobs:
- name: chatbot-setup
  image: github-org/rails
  secrets_from:
  - default-secrets
  - backend-secerts

Conclusion

This integration allows you to create an arbitrary amount of secrets you want bulk loaded into your containers. You need only come up with path and naming scheme you like and tell Release about it and we can autoload them into your containers.

PreviousDoppler Secrets ManagerNextSource control integrations

Last updated

Was this helpful?