Managing Secrets
Local secrets are defined in the worspace/secrets
folder and production secrets are managed by AWS Secrets Manager. This directory is excluded from version control (see .gitignore
) and its contents should be handled with the same security as passwords
Incase you're missing the secrets dir, copy workspace/example_secrets
Development Secrets
Apps running locally can read secrets using a yaml
file, for example:
dev_fastapi = FastApiServer(
...
# Read secrets from secrets/dev_app_secrets.yml
secrets_file=ws_settings.ws_root.joinpath("workspace/secrets/dev_app_secrets.yml"),
)
Production Secrets
We create SecretsManager
resources to hold production secrets which are then used by the Apps.
prd_api_secret = SecretsManager(
...
# Create secret from workspace/secrets/prd_api_secrets.yml
secret_files=[ws_settings.ws_root.joinpath("workspace/secrets/prd_api_secrets.yml")],
)
Use these in Apps like:
prd_fastapi = FastApiServer(
...
aws_secrets=[prd_api_secret],
...
# Uncomment to read secrets from secrets/prd_api_secrets.yml
# secrets_file=ws_settings.ws_root.joinpath("workspace/secrets/prd_api_secrets.yml"),
Production applications can also read secrets from the local files but we recommend using the AWS Secrets Manager.