Managing Secrets

Local secrets are defined in the worspace/secrets folder and production secrets are managed by AWS Secrets Manager. This directory is excluded from version control (see .gitignore) and its contents should be handled with the same security as passwords

Development Secrets

Apps running locally can read secrets using a yaml file, for example:

dev_fastapi = FastApiServer(
    ...
    # Read secrets from secrets/dev_app_secrets.yml
    secrets_file=ws_settings.ws_root.joinpath("workspace/secrets/dev_app_secrets.yml"),
)

Production Secrets

We create SecretsManager resources to hold production secrets which are then used by the Apps.

prd_api_secret = SecretsManager(
    ...
    # Create secret from workspace/secrets/prd_api_secrets.yml
    secret_files=[ws_settings.ws_root.joinpath("workspace/secrets/prd_api_secrets.yml")],
)

Use these in Apps like:

prd_fastapi = FastApiServer(
    ...
    aws_secrets=[prd_api_secret],
    ...
    # Uncomment to read secrets from secrets/prd_api_secrets.yml
    # secrets_file=ws_settings.ws_root.joinpath("workspace/secrets/prd_api_secrets.yml"),

Production applications can also read secrets from the local files but we recommend using the AWS Secrets Manager.