1
00:00:00,270 --> 00:00:04,670
‫So now let's look into a service called Secrets manager.

2
00:00:04,920 --> 00:00:11,980
‫And the name is extremely obvious for one of the services that will be easily storing secrets into us.

3
00:00:12,030 --> 00:00:15,870
‫And so with this you can rotate then manage them and you retrieve them.

4
00:00:16,080 --> 00:00:18,000
‫And with API calls for their lifecycle.

5
00:00:18,420 --> 00:00:24,630
‫So the big difference of secrets manager you'll have with something like payment a store with an encrypted

6
00:00:24,960 --> 00:00:31,140
‫value like a secure string is that with secrets manager you can set up some rotation and you can link

7
00:00:31,140 --> 00:00:35,930
‫it to a lambda function that will allow you to rotate your credentials on top of it.

8
00:00:35,940 --> 00:00:43,290
‫It has a very tight integration with RDX or postgres and so on and so the idea is that it will be a

9
00:00:43,290 --> 00:00:47,150
‫little bit more easy to use and more secure with this.

10
00:00:47,160 --> 00:00:52,860
‫But the idea is the same you're going to store secrets into a store and retrieve them at runtime.

11
00:00:52,860 --> 00:00:59,550
‫So the pricing is that you have 40 cents per secrets per month and five cents for 10000 API calls and

12
00:00:59,550 --> 00:01:03,410
‫you get a 30 day free trial available for the secret spending.

13
00:01:03,440 --> 00:01:04,060
‫OK.

14
00:01:04,230 --> 00:01:10,120
‫So it's all obviously managed by I am for access to the do the secret.

15
00:01:10,150 --> 00:01:12,510
‫So this is kind of like a similar thing to private restore.

16
00:01:13,080 --> 00:01:18,270
‫So let's go ahead and store and your secrets and so as you can see we get different type of secrets

17
00:01:18,270 --> 00:01:23,380
‫and I'm pretty sure they will add secrets over time to make this even more integrated with other AWOL

18
00:01:23,400 --> 00:01:24,190
‫services.

19
00:01:24,210 --> 00:01:30,600
‫But we can do a credential for an audience database a credential for if cluster for a document DB database

20
00:01:30,840 --> 00:01:33,960
‫for an other database or an other type of secrets.

21
00:01:33,960 --> 00:01:35,520
‫And this is for example an API key.

22
00:01:36,210 --> 00:01:38,090
‫So here this is really important.

23
00:01:38,160 --> 00:01:42,780
‫Whenever you have a database it will prompt you would like a user name and a password and pretty much

24
00:01:42,790 --> 00:01:44,530
‫using her and password for everything here.

25
00:01:44,590 --> 00:01:50,220
‫OK but if it's an other type of secrets then you will have key value pairs that you can place and you

26
00:01:50,220 --> 00:01:57,210
‫will have secrets placed in here so you can set for example API key and then you would have the secret

27
00:01:57,210 --> 00:02:00,180
‫value of the API key.

28
00:02:00,330 --> 00:02:00,680
‫Right.

29
00:02:00,720 --> 00:02:02,430
‫And this would be the your key value pair.

30
00:02:02,460 --> 00:02:05,640
‫But you could have multiple ones you can just store not just one API key.

31
00:02:05,640 --> 00:02:12,410
‫You could store for example secrets key for the API and you have a second value.

32
00:02:12,490 --> 00:02:13,580
‫Second secret value.

33
00:02:13,590 --> 00:02:13,860
‫Right.

34
00:02:14,250 --> 00:02:16,850
‫So you really free you have many as many key value pairs.

35
00:02:16,860 --> 00:02:21,480
‫And that's also a little bit of a difference versus versus something like the payment a store.

36
00:02:21,480 --> 00:02:25,860
‫So you can do this in secret or you can also do it in plaintext in your basement.

37
00:02:25,930 --> 00:02:29,070
‫Jason So this is would be a way to copy and paste.

38
00:02:29,070 --> 00:02:34,620
‫Jason if you prefer this to entering things manually in this UI then you select the encryption key.

39
00:02:35,010 --> 00:02:38,580
‫So do you want a default encryption key or do you want to use a claim as could you have created and

40
00:02:38,580 --> 00:02:44,460
‫so on to encrypt these secrets so I'll use my Kaminsky for example and then I'll click on next.

41
00:02:44,460 --> 00:02:53,010
‫Then you need to give it your secret a name so I'll call it proud prod my secret API and then you can

42
00:02:53,010 --> 00:02:58,530
‫have a description and you can have tags and then you click on next and then here we can configure automatic

43
00:02:58,680 --> 00:03:00,470
‫or not automatic rotation.

44
00:03:00,480 --> 00:03:06,270
‫So that means that if you have automated or mimic rotation automatically your secrets will be rotated.

45
00:03:06,270 --> 00:03:11,880
‫And so that means that for example here I can say every 60 days I want you to rotate my secret.

46
00:03:11,880 --> 00:03:15,330
‫You can have a custom value if you want it to the max being 1 year.

47
00:03:15,450 --> 00:03:19,980
‫And so that means that after 60 days there will be a lended function that will be invoked.

48
00:03:19,980 --> 00:03:26,160
‫And so you need to create that line the function and that lambda function needs to have the role to

49
00:03:26,160 --> 00:03:27,280
‫rotate that secrets.

50
00:03:27,330 --> 00:03:33,300
‫So that means for example generating a new user name or refreshing the API key credentials with a third

51
00:03:33,300 --> 00:03:33,900
‫party.

52
00:03:33,900 --> 00:03:36,350
‫And so you're free to do whatever you want with your lambda functions.

53
00:03:36,420 --> 00:03:42,900
‫But the idea is that after 60 days it will be invoked automatically by secrets manager to rotate the

54
00:03:42,900 --> 00:03:48,210
‫secret the secrets we have just stored and that makes it a really powerful secret management solution.

55
00:03:48,690 --> 00:03:52,440
‫So right now disable the automatic rotation and click on Next.

56
00:03:52,440 --> 00:03:58,110
‫And so we're good to go and we can have simple code in any of our languages that we commonly used to

57
00:03:58,110 --> 00:04:00,150
‫retrieve that secrets for example with Python.

58
00:04:00,270 --> 00:04:05,490
‫If we look at it there is a get secret function and you pass in the secret name the region name and

59
00:04:05,490 --> 00:04:12,180
‫then you just initiate a client to do API calls and then to get the value you do clients that get secret

60
00:04:12,180 --> 00:04:16,950
‫value you put in this you pass in the secret IP which is a secret name and then you get the response

61
00:04:17,280 --> 00:04:22,230
‫and in the response then you can just look at the keys that you need for example in the key value pair

62
00:04:22,230 --> 00:04:28,260
‫we had and here secret string is the value of the key you want to retrieve and that's it's very very

63
00:04:28,260 --> 00:04:31,050
‫fairly simple and you have this for the language you are.

64
00:04:31,050 --> 00:04:34,690
‫So if you're more of a good person here's go JavaScript Java and so on.

65
00:04:34,730 --> 00:04:35,350
‫OK.

66
00:04:35,460 --> 00:04:39,540
‫And that's as easy as it is to use the secrets manager.

67
00:04:39,570 --> 00:04:42,650
‫And so this is just a normal key value pair of secrets.

68
00:04:42,670 --> 00:04:44,990
‫And let me just show you how to do our guest database.

69
00:04:45,090 --> 00:04:50,550
‫So I'll call this admin and then super secret password and then we would encrypt those as well.

70
00:04:51,180 --> 00:04:56,940
‫And similarly you can also link this to an RDX database that the secret will access.

71
00:04:56,940 --> 00:05:03,270
‫So the idea is that with these special integration with RDX or redshift or document dv you would have

72
00:05:03,270 --> 00:05:06,120
‫to select a database to integrate this with.

73
00:05:06,120 --> 00:05:10,980
‫So that makes it a little bit more powerful because now the secret's manager will hold the value of

74
00:05:10,980 --> 00:05:12,720
‫the username and password.

75
00:05:12,750 --> 00:05:18,720
‫But on top of it it will also set these values on the linked RDX database automatically.

76
00:05:18,720 --> 00:05:23,910
‫And you can also enable rotation as well to make sure that the secret rotates every so often.

77
00:05:23,910 --> 00:05:27,870
‫So this one it's just to show you this but you are not going to create an audience database just for

78
00:05:27,870 --> 00:05:31,460
‫the sake of linking the secrets to it but you get the idea.

79
00:05:31,530 --> 00:05:34,450
‫So that's it's in a nutshell for secrets manager.

80
00:05:34,650 --> 00:05:39,330
‫When you're done you can just delete that secrets and you'll be good to go and you can have a waiting

81
00:05:39,330 --> 00:05:44,550
‫period as well just to make sure that it doesn't get updated deleted hastily.

82
00:05:44,580 --> 00:05:45,920
‫So that's it for this lecture.

83
00:05:45,930 --> 00:05:46,610
‫I hope you liked it.

84
00:05:46,710 --> 00:05:48,180
‫And then we'll see you in the next lecture.