added Secrets Manager documentation under aws-samples#401 - issue aws-samples#475

Author: mistryious

04-path-security-and-networking/401-configmaps-and-secrets/images/sec_mgr_app/.dockerignore

@@ -0,0 +1,2 @@
+node_modules
+npm-debug.log

04-path-security-and-networking/401-configmaps-and-secrets/images/sec_mgr_app/Dockerfile

@@ -0,0 +1,16 @@
+FROM node:carbon
+# Create app directory
+WORKDIR /usr/src/app
+
+# Install app dependencies
+# A wildcard is used to ensure both package.json AND package-lock.json are copied
+# where available (npm@5+)
+COPY package*.json ./
+
+RUN npm install
+# If you are building your code for production
+# RUN npm install --only=production
+# Bundle app source
+COPY . .
+
+CMD [ "npm", "start" ]

04-path-security-and-networking/401-configmaps-and-secrets/images/sec_mgr_app/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "docker_web_app",
+  "version": "1.0.0",
+  "description": "Node.js on Docker",
+  "author": "First Last <[email protected]>",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js"
+  },
+  "dependencies": {
+    "aws-sdk": "latest",
+    "npm": "^6.1.0"
+  }
+}

04-path-security-and-networking/401-configmaps-and-secrets/images/sec_mgr_app/server.js

@@ -0,0 +1,46 @@
+'use strict';
+
+var AWS = require('aws-sdk'),
+              endpoint = "https://secretsmanager.us-west-2.amazonaws.com",
+              region = "us-west-2",
+              secretName = "testsecret",
+              secret = "",
+              binarySecretData = "";
+
+// Constants
+var client = new AWS.SecretsManager({
+  endpoint: endpoint,
+  region: region
+});
+
+
+// App
+client.getSecretValue({SecretId: secretName}, function(err, data) {
+  if(err) {
+      if(err.code === 'ResourceNotFoundException')
+          console.log("The requested secret " + secretName + " was not found");
+      else if(err.code === 'InvalidRequestException')
+          console.log("The request was invalid due to: " + err.message);
+      else if(err.code === 'InvalidParameterException')
+          console.log("The request had invalid params: " + err.message);
+  }
+  else {
+      // Decrypted secret using the associated KMS CMK
+      // Depending on whether the secret was a string or binary, one of these fields will be populated
+      if(data.SecretString !== "") {
+          secret = data.SecretString;
+//          console.log(secret);
+      } else {
+          binarySecretData = data.SecretBinary;
+      }
+  }
+
+  // Your code goes here.
+  console.log(`Secret retrieved from AWS SecretsManager: ${secretName} is ${secret}`);
+});
+
+
+
+
+
+

04-path-security-and-networking/401-configmaps-and-secrets/readme.adoc

@@ -678,10 +678,98 @@ This shows that the Java application has been able to read both the NAME and GRE
 
 == Secrets using AWS Secrets Manager
 
-=== Update the IAM role
+This section will show how to create a secret using AWS Secrets Manager and access it in a Pod.
+
+AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. The service integrates with KMS, which uses a https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/[FIPS 140-2 validated Hardware Security Module], to provide robust key management controls for protection of the secret. It also integrates with AWS IAM and AWS CloudTrail to provide fine-grained access, audit and alerting integration.
+
+=== Update the IAM role for EKS or `kops` Kubernetes Cluster
+
+==== EKS Kubernetes Cluster
+EC2 worker nodes use `NodeInstanceRole` created in Step 3 of the https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html[EKS Getting Started guide]. This role must be updated to allow the worked nodes to read the secrets from Secrets Manager.
+
+In the IAM Console, click `roles` and type `NodeInstanceRole` and click it. In the Permissions tab, expand the inline policy and click `Edit policy`. Add the `secretsManager:GetSecretValue` permission to the policy so the policy looks similar to the one below.
+
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetSecretValue",
+                    "secretsmanager:DescribeSecret"
+                ],
+                "Resource": [
+                    "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>"
+                ]
+            }
+        ]
+    }
+
+==== `kops` Kubernetes Cluster
+
+EC2 worker nodes use an instance profile to allow the EC2 node instances to access other AWS services. This role must be updated to allow the worker nodes to read the secrets from Secrets Manager.
+
+In the IAM Console click `roles` and type `nodes` into the search box. Find the `nodes.example.cluster.k8s.local` role
+and click it. In the Permissions tab, expand the inline policy for `nodes.example.cluster.k8s.local` and click
+`Edit policy`.
+
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetSecretValue",
+                    "secretsmanager:DescribeSecret"
+                ],
+                "Resource": [
+                    "arn:aws:secretsmanager:<region>:<account-id>:secret:<secret-name>"
+                ]
+            }
+        ]
+    }
+
 === Create secrets
+
+. Create a secret key-value pair using https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/create-secret.html[AWS Secrets Manager CLI].
+
+  aws secretsmanager create-secret --name testsecret --description "EKS/kops Demo Secret" --secret-string [{"testkey":"testvalue"}] --region us-west-2
+
+. Get the value of created secret using https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html[GetSecretValue] API call
+
+  aws secretsmanager get-secret-value --secret-id testsecret --region us-west-2
+
 === Consume secrets in a Pod
 
+The directory images/sec_mgr_app contains a Node.js application that reads secrets from AWS Secrets Manager from the US-West (Oregon) `us-west-2` region. This application is then packaged as a Pod and deployed in the cluster.
+
+The Pod configuration is shown below:
+
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: pod-secretsmanager
+    spec:
+      containers:
+      - name: pod-secretsmanager
+        image: paavanmistry/node-aws-sm-demo:latest
+      restartPolicy: Never
+
+Create the Pod:
+
+  $ kubectl apply -f templates/pod-secretsmanager.yaml
+  pod "pod-parameter-store" configured
+
+Check the logs of the Pod:
+
+  $ kubectl logs pod-secretsmanager
+  Secret retrieved from AWS SecretsManager: testsecret is {testkey}:{testvalue}
+
+Clean up:
+
+  $ kubectl delete -f templates/pod-secretsmanager.yaml
+  $ aws secretsmanager delete-secret --secret-id testsecret --region us-west-2
+
 == Secrets using Vault
 
 https://www.vaultproject.io/[Hashicorp Vault] is a tool for managing secrets. It secures, stores and tightly controls access to tokens, passwords, certificates, API keys and other secrets.

04-path-security-and-networking/401-configmaps-and-secrets/templates/pod-secretsmanager.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-secretsmanager
+spec:
+  containers:
+  - name: pod-secretsmanager
+    image: paavanmistry/node-aws-sm-demo:latest
+  restartPolicy: Never