The AWS Advanced Go Wrapper supports usage of database credentials stored as secrets in the AWS Secrets Manager through the AWS Secrets Manager Plugin. When you create a new connection with this plugin enabled, the plugin will retrieve the secret and the connection will be created with the credentials inside that secret.
This plugin requires:
- Valid AWS Secrets Manager credentials
- github.com/aws/aws-advanced-go-wrapper/aws-secrets-manager to be a dependency in the
project
- This can be accomplished by running
go get github.com/aws/aws-advanced-go-wrapper/aws-secrets-managerin the same directory as the intendedgo.modfile.
- This can be accomplished by running
When the aws-secrets-manager module is added as a dependency, the required AWS modules will also be added as indirect
dependencies.
To enable the AWS Secrets Manager Plugin, add the plugin code awsSecretsManager to the
plugins value. Then specify the required parameters.
Warning
The plugins value should not contain more than one of the following codes: awsSecretsManager, federatedAuth, iam, and okta as each connection should use only one method of authentication.
The following properties are required for the AWS Secrets Manager Plugin to retrieve database credentials from the AWS Secrets Manager.
| Parameter | Value | Required | Description | Example | Default Value |
|---|---|---|---|---|---|
secretsManagerSecretId |
String | Yes | Set this value to be the secret name or the secret ARN. | secretId |
nil |
secretsManagerRegion |
String | Yes unless the secretsManagerSecretId is a Secret ARN. |
Set this value to be the region your secret is in. | us-east-2 |
nil |
secretsManagerEndpoint |
String | No | Set this value to be the endpoint override to retrieve your secret from. This parameter value should be in the form of a URL, with a valid protocol (ex. http://) and domain (ex. localhost). A port number is not required. |
http://localhost:1234 |
nil |
secretsManagerExpirationSec |
Integer | No | This property sets the time in seconds that secrets are cached before it is re-fetched. | 600 |
870 |
secretsManagerSecretUsernameProperty |
String | No | Set this value to be the key in the JSON secret that contains the username for database connection. | db_user |
username |
secretsManagerSecretPasswordProperty |
String | No | Set this value to be the key in the JSON secret that contains the password for database connection. | db_pass |
password |
Note
A Secret ARN has the following format: arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName-6RandomCharacters.
The secret stored in the AWS Secrets Manager should be a JSON object containing the properties username and password. If the secret contains different key names, you can specify them with the secretsManagerSecretUsernameProperty and secretsManagerSecretPasswordProperty parameters.