The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
Help & Documentation>实践教程>Secrets Manager>Hosting and Using Secrets

Hosting and Using Secrets

Last updated: 2024-08-23 11:26:57

On this page:

Normally, various types of verification information (i.e., passwords, tokens, SSH keys, and API keys) for identity verification are embedded in the configuration file of the application as plaintext, which offers lower security. You can use SSM to encrypt and store sensitive information to avoid risks caused by the plaintext coding of sensitive secrets.

Flowchart

The following uses the hosted username and password of a database as an example to introduce the basic use cases of secret hosting.

1. DB admin sets the database username and password.
2. DB admin creates a credential object in SSM to encrypt and store the username and password from Step 1. For details on creating credentials, please refer to Creating Credentials.
3. When application systems need to access databases, they can request access credentials from SSM. For details on the interface request, please refer to Obtaining Credential Plaintext.
4. The application system parses the plaintext credentials based on the content returned by the API, and obtains the username and password to access the target database of the user.
5. DB admin can create multiple versions for a credential. The credential version can also be updated to achieve configuration synchronization, version management, and credential rotation.

Application Effects

The application system can call the SSM APIs or SDK to obtain the sensitive secret plaintext, avoiding leakage risks caused by coding secret as plaintext in the application or configuration file. The calling comparison is as follows:
The following are examples of storing the username and password of a database as plaintext in the local configuration or the code file, which brings a higher risk of sensitive secret leakage.
Sample code of obtaining the secret plaintext:
func GetDBConfig() string {
     dbConnStr := "user:password@tcp(127.0.0.1:3306)/test"
     return dbConnStr
}
Sample code of using the secret plaintext:
conn, err := sql.Open("mysql", GetDBConfig())
if err != nil {
     // error handler
}
When connecting to the database DB using SSM, there is no need to store DB connection information as plaintext in the code and local configuration.
Sample code of obtaining the secret plaintext:
func GetDBConfig(secretName, version *string) string {
     credential := common.NewCredential(
                secretId,
                secretKey,
     )
     cpf := profile.NewClientProfile()
     cpf.HttpProfile.Endpoint = endpoint
     client, _ := ssm.NewClient(credential, region, cpf)

     request := ssm.NewGetSecretValueRequest()
     request.SecretName = secretName
     request.VersionId = version

     resp, err := client.GetSecretValue(request)
     if err != nil {
                // error handler
     }
     return *resp.Response.SecretString
}
Sample code of using the secret plaintext:
secretName := "MySecret1"
version := "MyVersion1"
conn, err := sql.Open("mysql", GetDBConfig(&secretName, &version))
if err != nil {
     // error handler
}

中国站 - English