AWS Secrets Manager Hush Provider

This package provides a Hush Provider to resolve Amazon Web Services's Secrets Manager secrets.

Documentation can be found at https://hexdocs.pm/hush_aws_secrets_manager.

Installation

The package can be installed by adding hush_aws_secrets_manager to your list of dependencies in mix.exs:

def deps do
  [
    {:hush, "~> 1.0"},
    {:hush_aws_secrets_manager, "~> 1.1"}
  ]
end

This module relies on ex_aws to talk to the AWS API. As such you need to configure it, below is an example, but you can read alternative ways of configuring it in their documentation.

As the provider needs to start ex_aws application, it needs to registered as a provider in hush, so that it gets loaded during startup.

# config/config.exs

alias Hush.Provider.AwsSecretsManager

config :ex_aws,
  access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}],
  secret_access_key: [{:system, "AWS_SECRET_ACCESS_KEY"}]

# ensure hush loads AwsSecretsManager during startup
config :hush,
  providers: [AwsSecretsManager]

AWS Authorization

In order to retrieve secrets from AWS, ensure the service account you use has a similar policy as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:<region>:<account>:secret:<secret-name>",
        "arn:aws:secretsmanager:us-east-1:000000000000:secret:config/password-MzBAO2"
      ]
    }
  ]
}

Usage

The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.

# config/prod.exs

alias Hush.Provider.AwsSecretsManager

config :app, App.Repo,
  password: {:hush, AwsSecretsManager, "CLOUDSQL_PASSWORD"},
  pool_size: {:hush, AwsSecretsManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}

License

Hush is released under the Apache License 2.0 - see the LICENSE file.