Use secrets manager for api key

Author: daixba

README.md

@@ -6,24 +6,7 @@ OpenAI-compatible RESTful APIs for Amazon Bedrock
 
 ## Breaking Changes
 
-This solution can now **automatically detect** new models supported in Amazon Bedrock. 
-So whenever new models are added to Amazon Bedrock, you can immediately try them without the need to wait for code changes to this repo. 
-
-This is to use the `ListFoundationModels` api and the `ListInferenceProfiles` api by Amazon Bedrock, due to this change, additional IAM permissions are required to your Lambda/Fargate role.
-
-If you are facing error: 'Unsupported model xxx, please use models API to get a list of supported models' even the model ID is correct, 
-please either update your existing stack (**Recommended**) with the new template in the deployment folder or manually add below permissions to the related Lambda/Fargate role.
-
-```json
-{
-   "Action": [
-       "bedrock:ListFoundationModels",
-       "bedrock:ListInferenceProfiles"
-   ],
-   "Resource": "*",
-   "Effect": "Allow"
-}
-```
+This solution now uses Secrets Manager to maintain API Key for security best practice.  You **MUST** create the API Key first in Secrets Manager and rotate it frequently.
 
 Please raise an GitHub issue if you still have problems.
 
@@ -74,42 +57,38 @@ Alternatively, you can use Lambda Function URL to replace ALB, see [example](htt
 
 Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS account. Only supports regions where Amazon Bedrock is available (such as `us-west-2`). The deployment will take approximately **3-5 minutes** 🕒.
 
-**Step 1: Create your own custom API key (Optional)**
-
-#### Store API Key in ParameterStore
+**Step 1: Create your own API key in Secrets Manager (MUST)**
 
-> **Note:** This step is to use any string (without spaces) you like to create a custom API Key (credential) that will be used to access the proxy API later. This key does not have to match your actual OpenAI key, and you don't need to have an OpenAI API key. It is recommended that you take this step and ensure that you keep the key safe and private.
 
-1. Open the AWS Management Console and navigate to the Systems Manager service.
-2. In the left-hand navigation pane, click on "Parameter Store".
-3. Click on the "Create parameter" button.
-4. In the "Create parameter" window, select the following options:
-    - Name: Enter a descriptive name for your parameter (e.g., "BedrockProxyAPIKey").
-    - Description: Optionally, provide a description for the parameter.
-    - Tier: Select **Standard**.
-    - Type: Select **SecureString**.
-    - Value: Any string (without spaces).
-5. Click "Create parameter".
-6. Make a note of the parameter name you used (e.g., "BedrockProxyAPIKey"). You'll need this in the next step.
+> **Note:** This step is to use any string (without spaces) you like to create a custom API Key (credential) that will be used to access the proxy API later. This key does not have to match your actual OpenAI key, and you don't need to have an OpenAI API key. please keep the key safe and private.
 
-#### Store API Key in ENV variable
+1. Open the AWS Management Console and navigate to the AWS Secrets Manager service.
+2. Click on "Store a new secret" button. 
+3. In the "Choose secret type" page, select:
 
-1. Provide an ENV variable to the container named: `API_KEY` with the API key value.
+   Secret type: Other type of secret
+   Key/value pairs:
+   - Key: api_key
+   - Value: Enter your API key value
+   
+   Click "Next"
+4. In the "Configure secret" page:
+   Secret name: Enter a name (e.g., "BedrockProxyAPIKey")
+   Description: (Optional) Add a description of your secret
+5. Click "Next" and review all your settings and click "Store"
 
 **Step 2: Deploy the CloudFormation stack**
 
 1. Sign in to AWS Management Console, switch to the region to deploy the CloudFormation Stack to.
 2. Click the following button to launch the CloudFormation Stack in that region. Choose one of the following:
-   - **ALB + Lambda**
 
-      [![Launch Stack](assets/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/template?stackName=BedrockProxyAPI&templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxy.template)
    - **ALB + Fargate**
 
       [![Launch Stack](assets/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/template?stackName=BedrockProxyAPI&templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxyFargate.template)
 3. Click "Next".
 4. On the "Specify stack details" page, provide the following information:
     - Stack name: Change the stack name if needed.
-    - ApiKeyParam (if you set up an API key in Step 1): Enter the parameter name you used for storing the API key (e.g., `BedrockProxyAPIKey`). If you did not set up an API key, leave this field blank. Click "Next".
+    - ApiKeySecretName: Enter the secret name you used for storing the API key (e.g., `BedrockProxyAPIKey`). Click "Next".
 5. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs.
 6. Click "Next".
 7. On the "Review" page, review the details of the stack you're about to create. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom.

README_CN.md

@@ -6,24 +6,7 @@
 
 ## 重大变更
 
-这个方案现在可以**自动检测** Amazon Bedrock 中支持的新模型。
-因此，当 Amazon Bedrock 添加新模型时，您可以立即尝试使用它们，无需等待此代码库的更新。
-
-这是通过使用Amazon Bedrock 的 `ListFoundationModels API` 和 `ListInferenceProfiles` API 实现的。由于这一变更，您需要为 Lambda/Fargate 角色添加额外的 IAM 权限。
-
-如果您遇到错误："Unsupported model xxx, please use models API to get a list of supported models"（即使Model ID 是正确的），
-请使用Deployment 文件夹中的新模板更新您现有的堆栈(**推荐**），或手动为相关的 Lambda/Fargate 角色添加以下权限。
-
-```json
-{
-   "Action": [
-       "bedrock:ListFoundationModels",
-       "bedrock:ListInferenceProfiles"
-   ],
-   "Resource": "*",
-   "Effect": "Allow"
-}
-```
+为了遵循安全最佳实践，本解决方案现使用 Secrets Manager 来管理 API 密钥。您必须先在 Secrets Manager 中创建 API 密钥，并定期轮换该密钥。
 
 如果依然有问题，请提个GitHub issue。
 
@@ -76,37 +59,36 @@ OpenAI 的 API 或 SDK 无缝集成并试用 Amazon Bedrock 的模型,而无需
 
 请按以下步骤将Bedrock代理API部署到您的AWS账户中。仅支持Amazon Bedrock可用的区域(如us-west-2)。 部署预计用时**3-5分钟** 🕒。
 
-**第一步: 自定义您的API Key (可选)**
+**第一步: 在 Secrets Manager 中创建您的 API 密钥（必须）**
 
 > 注意:这一步是使用任意字符串（不带空格）创建一个自定义的API Key(凭证),将用于后续访问代理API。此API Key不必与您实际的OpenAI
-> Key一致,您甚至无需拥有OpenAI API Key。建议您执行此步操作并且请确保保管好此API Key。
-
-1. 打开AWS管理控制台,导航到Systems Manager服务。
-2. 在左侧导航窗格中,单击"参数存储"。
-3. 单击"创建参数"按钮。
-4. 在"创建参数"窗口中,选择以下选项:
-    - 名称:输入参数的描述性名称(例如"BedrockProxyAPIKey")。
-    - 描述:可选,为参数提供描述。
-    - 层级:选择**标准**。
-    - 类型:选择**SecureString**。
-    - 值: 随意字符串（不带空格）。
-5. 单击"创建参数"。
-6. 记录您使用的参数名称(例如"BedrockProxyAPIKey")。您将在下一步中需要它。
+> Key一致,您甚至无需拥有OpenAI API Key。请确保保管好此API Key。
+
+1. 打开 AWS 管理控制台并导航至 AWS Secrets Manager 服务。
+2. 点击 "存储新密钥" 按钮。
+3. 在 "选择密钥类型" 页面，选择：
+
+   密钥类型：其他类型的密钥 键/值对：
+   
+   - 键：api_key
+   - 值：输入您的 API 密钥值
+   点击 "下一步"
+4. 在 "配置密钥" 页面： 密钥名称：输入一个名称（例如："BedrockProxyAPIKey"） 描述：（可选）添加密钥的描述
+5. 点击 "下一步"，检查所有设置后点击 "存储"
+
 
 **第二步: 部署CloudFormation堆栈**
 
 1. 登录AWS管理控制台,切换到要部署CloudFormation堆栈的区域。
 2. 单击以下按钮在该区域启动CloudFormation堆栈，选择一种方式部署。
-   - **ALB + Lambda**
 
-      [![Launch Stack](assets/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/template?stackName=BedrockProxyAPI&templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxy.template)
    - **ALB + Fargate**
 
       [![Launch Stack](assets/launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/template?stackName=BedrockProxyAPI&templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxyFargate.template)
 3. 单击"下一步"。
 4. 在"指定堆栈详细信息"页面,提供以下信息:
     - 堆栈名称: 可以根据需要更改名称。
-    - ApiKeyParam(如果在步骤1中设置了API Key):输入您用于存储API密钥的参数名称(例如"BedrockProxyAPIKey")，否则,请将此字段留空。
+    - ApiKeySecretName:输入您用于存储API 密钥的名称(例如"BedrockProxyAPIKey")，否则,请将此字段留空。
       单击"下一步"。
 5. 在"配置堆栈选项"页面,您可以保留默认设置或根据需要进行自定义。
 6. 单击"下一步"。