Secret management is a critical part of your application security and should be taken seriously.

Local secrets are defined in the worspace/secrets directory which is excluded from version control (see .gitignore). Its contents should be handled with the same security as passwords.

Production secrets are managed by AWS Secrets Manager.

Incase you’re missing the secrets dir, copy workspace/example_secrets

Development Secrets

Apps running locally can read secrets using a yaml file, for example:

dev_resources.py
dev_fastapi = FastApi(
    ...
    # Read secrets from secrets/dev_app_secrets.yml
    secrets_file=ws_settings.ws_root.joinpath("workspace/secrets/dev_app_secrets.yml"),
)

Production Secrets

AWS Secrets are used to manage production secrets, which are read by the production apps.

prd_resources.py
# -*- Secrets for production application
prd_secret = SecretsManager(
    ...
    # Create secret from workspace/secrets/prd_app_secrets.yml
    secret_files=[
        ws_settings.ws_root.joinpath("workspace/secrets/prd_app_secrets.yml")
    ],
)

# -*- Secrets for production database
prd_db_secret = SecretsManager(
    ...
    # Create secret from workspace/secrets/prd_db_secrets.yml
    secret_files=[ws_settings.ws_root.joinpath("workspace/secrets/prd_db_secrets.yml")],
)

Read the secret in production apps using:

prd_fastapi = FastApi(
    ...
    aws_secrets=[prd_secret],
    ...
)

Production resources can also read secrets using yaml files but we highly recommend using AWS Secrets.