Global Secrets Management with AWS Secrets Manager

Managing API keys, database credentials, and third-party tokens securely is a critical DevOps responsibility. Storing plaintext secrets in environment variables or configuration files exposes your infrastructure to catastrophic breaches if the source code is compromised.

AWS Secrets Manager offers a centralized, highly secure vault for your sensitive data. Beyond simple storage, it features native integration with RDS for automatic password rotation, cross-region replication for global architectures, and fine-grained access control via IAM. It ensures your applications retrieve secrets dynamically at runtime.

When building multi-region architectures, replicating your secrets ensures high availability and low latency for localized microservices. In Terraform, you can define a secret and configure a replication block to instantly mirror the credentials to secondary regions. Here is the configuration to establish a globally available secret.

resource "aws_secretsmanager_secret" "db_credentials" {
  name        = "prod/database/credentials"
  description = "Aurora Serverless Master Credentials"

  replica {
    region = "us-west-2"
  }
  
  replica {
    region = "eu-central-1"
  }
}

resource "aws_secretsmanager_secret_version" "db_creds_val" {
  secret_id     = aws_secretsmanager_secret.db_credentials.id
  secret_string = jsonencode({
    username = "admin"
    password = random_password.master.result
  })
}