I have 2 different secrets repositories in AWS Secrets Manager. Let’s call them secrets-A and secrets-B, which are used by 2 different microservices which we’ll call micro-A and micro-B.

micro-A and micro-B both need to access a shared secret value, secret-AB. Right now I am storing secret-AB in both secrets-A and secrets-B.

This is obviously fraught because what happens if we forget to update secret-AB in both secrets-A and secrets-B? micro-A and micro-B would then be out of sync.

Ideally I would like to have a common secret repo, secrets-common that both can pull from, so that perhaps it would look something like:

secrets-common: secret-AB="123456"
secrets-A: secret-AB={{secrets-common.secret-AB}}
secrets-B: secret-AB={{secrets-common.secret-AB}}

Note that micro-A should know nothing about the values in secrets-B and micro-B should know nothing about the values in secrets-A.

I’ve been searching around but not finding anything on how to do this.

>Solution :

AWS Secrets Manager does not work in the way you describe. Its pretty straight forward actually. To get a secret, you need the secret name. Each macro service can retrieve the value by referencing the name.

For example, assume you are using Java to get the value of a specific secret, the call looks like:

public static void getValue(SecretsManagerClient secretsClient,String secretName) {

        try {
            GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
                .secretId(secretName)
                .build();

            GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
            String secret = valueResponse.secretString();
            System.out.println(secret);

        } catch (SecretsManagerException e) {
            System.err.println(e.awsErrorDetails().errorMessage());
            System.exit(1);
        }
    }