How to use AWS Secret Manager with NodeJS

Amazon Web Services (AWS) Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. With Secrets Manager, you can securely store, rotate, and manage access to secrets such as database credentials, API keys, and other sensitive information.

Secrets Manager uses AWS Key Management Service (KMS) to encrypt and secure your secrets and provides a central location for managing the secrets used by your applications and services. Secrets Manager enables you to easily rotate secrets on a predetermined schedule so that you can regularly update the secrets used by your applications and services to help ensure the security of your system.

Secrets Manager also integrates with other AWS services, such as AWS Identity and Access Management (IAM), to help you control access to your secrets and manage the permissions of users and applications that need to use them.

Overall, Secrets Manager helps you to securely store and manage access to sensitive information, and enables you to easily rotate secrets on a regular basis to help maintain the security of your system.

Using Secret Manager in your NodeJS project

To use AWS Secrets Manager with Node.js, you will need to install the AWS SDK for JavaScript in Node.js, which you can do using the following command:

npm install aws-sdk

Once you have installed the AWS SDK, you can use it to access Secrets Manager in your Node.js application. Here is an example of how you might retrieve a secret from Secrets Manager and use it in your application:

const AWS = require('aws-sdk');

// Set the region
AWS.config.update({region: 'REGION'});

// Create a Secrets Manager client
const client = new AWS.SecretsManager();

// Set the secret name and version stage
const secretName = 'SECRET_NAME';
const versionStage = 'AWSCURRENT';

// Retrieve the secret value
client.getSecretValue({SecretId: secretName, VersionStage: versionStage}, function(err, data) {
  if (err) {
    if (err.code === 'DecryptionFailureException')
      // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
      // Deal with the exception here, and/or rethrow at your discretion.
      throw err;
    else if (err.code === 'InternalServiceErrorException')
      // An error occurred on the server side.
      // Deal with the exception here, and/or rethrow at your discretion.
      throw err;
    else if (err.code === 'InvalidParameterException')
      // You provided an invalid value for a parameter.
      // Deal with the exception here, and/or rethrow at your discretion.
      throw err;
    else if (err.code === 'InvalidRequestException')
      // You provided a parameter value that is not valid for the current state of the resource.
      // Deal with the exception here, and/or rethrow at your discretion.
      throw err;
    else if (err.code === 'ResourceNotFoundException')
      // We can't find the resource that you asked for.
      // Deal with the exception here, and/or rethrow at your discretion.
      throw err;
  }
  else {
    // Decrypts secret using the associated KMS CMK.
    // Depending on whether the secret is a string or binary, one of these fields will be populated.
    if ('SecretString' in data) {
      const secret = data.SecretString;
      // Store the secret in the process environment
      process.env.SECRET_NAME = secret;
    } else {
      const buff = new Buffer(data.SecretBinary, 'base64');
      const decodedBinarySecret = buff.toString('ascii');
      // Store the secret in the process environment
      process.env.SECRET_NAME = decodedBinarySecret;
    }
  }
});

Replace REGION and SECRET_NAME with the appropriate values for your setup.

You will also need to set up appropriate permissions for the IAM user or role that you are using to access Secrets Manager. For example, you will need the secretsmanager:GetSecretValue permission to retrieve a secret from Secrets Manager.

Hope this helps!