Pages

Subscribe:

Ads 468x60px

Wednesday, February 27, 2019

AWS Secret Manager - Protect Your Secrets in Applications

Many applications use secrets for various use cases. Using an application ID and Secret key to generate a token or maybe the secret key itself to access APIs, a username and password to create a database connection string to retrieve data from RDS. Maybe there are various security measurements and standards you’ve been enforced by your organization. One thing for sure is not storing passwords in configuration files or hard code them in plain texts. Storing and retrieving those secrets/passwords in a secure manner can be a challenging task and in this post we are going to discuss a more robust solution using AWS services.

You’ll be need a AWS account setup to follow this tutorial. Then log into your AWS console and locate Secrets Manager service under the Security, Identity and Compliance category.  Click on the “Store a new Secret”. You’ll get three options,

 1. Credentials for RDS database
 2. Credentials for other database
 3. Other Type of Secrets.

Option 1 and 2 dedicate for database credentials, We’ll select the “Other type of secrets” option since this post we going to demonstrate a more generalized solution. Now add your secrets to store securely. Use the DefaultEncryptionKey option for the demo purpose.

Hit Next and add a meaningful name for “Secret Name”, we will be using this to retrieve secrets in the application. Other options are optional and you can proceed.


Hit Next and you’ll get an option to enable Automatic rotation of the keys via a lambda function, lets keep the automated key rotation disabled and proceed to next step. Finally you’ll be redirected to the review and create step. Important thing in this step is you’ll get sample code snippets for Java, JavaScript, C#, Python 3, Ruby and Go languages.

Following is a java code snippet generated for our newly created “blog-sample” secret.

// Use this code snippet in your app.
// If you need more information about configurations or implementing the sample code, visit the AWS docs:
// https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-samples.html#prerequisites

public static void getSecret() {

    String secretName = "blog-sample";
    String region = "us-east-1";

    // Create a Secrets Manager client
    AWSSecretsManager client  = AWSSecretsManagerClientBuilder.standard()
                                    .withRegion(region)
                                    .build();
    
    // In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
    // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
    // We rethrow the exception by default.
    
    String secret, decodedBinarySecret;
    GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
                    .withSecretId(secretName);
    GetSecretValueResult getSecretValueResult = null;

    try {
        getSecretValueResult = client.getSecretValue(getSecretValueRequest);
    } catch (DecryptionFailureException e) {
        // Secrets Manager can't decrypt the protected secret text using the provided KMS key.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InternalServiceErrorException e) {
        // An error occurred on the server side.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InvalidParameterException e) {
        // You provided an invalid value for a parameter.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (InvalidRequestException e) {
        // You provided a parameter value that is not valid for the current state of the resource.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    } catch (ResourceNotFoundException e) {
        // We can't find the resource that you asked for.
        // Deal with the exception here, and/or rethrow at your discretion.
        throw e;
    }

    // Decrypts secret using the associated KMS CMK.
    // Depending on whether the secret is a string or binary, one of these fields will be populated.
    if (getSecretValueResult.getSecretString() != null) {
        secret = getSecretValueResult.getSecretString();
    }
    else {
        decodedBinarySecret = new String(Base64.getDecoder().decode(getSecretValueResult.getSecretBinary()).array());
    }

    // Your code goes here.
}


If you check the code you can see that, it is using the “secretName” and the stored “region” to fetch the secret data.



You can use either the secret name or secret ARN to retrieve the secrets. Now let’s try our sample code in our local environment to access secrets values.
1. To run the sample locally you need to configure the AWS CLI, using [a]

[a]. https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

2. Add the following maven dependency.
      
            com.amazonaws
            aws-java-sdk-secretsmanager
            1.11.502
       

 3. Build the project using following command
mvn clean install
4. Run the assembly plugin
mvn assembly:single
5. Run the uber jar using following command
java -jar target/aws-secrets-manager-test-1.0-SNAPSHOT-jar-with-dependencies.jar

You’ll get the secret as following in decrypted manner.

Now you learned,how to store secrets using AWS Secrets Manager and retrieve them in your Applications. But there is a catch here, when configuring the AWS CLI tool you have to store the AWS Access Key ID and the AWS Secret Access Key, which is not the best practice to host them in the AWS EC2 servers. If  a server is compromised, the intruder can easily pick your AWS credentials stored in the ~/.aws/credentials file.

Overcome the storing of Secret Keys

In above use-case, we have to hard code AWS credentials, which is not recommended. Let’s spin up a  ec2 instance and copy our sample app and see whether we can access the secrets we stored in the AWS Secrets Manger.

1. Spin up a ec2 t2 micro instance.
2. Then copy the sample application to the new ec2 server.
scp -i ec2.pem ~/code-base/aws-secrets-manager-test/target/aws-secrets-manager-test-1.0-SNAPSHOT-jar-with-dependencies.jar ec2-user@ip-address:/home/ec2-user
3. Install java in your ec2 instance.
    sudo yum install java-1.8.0-openjdk
4. Run the application
java -jar aws-secrets-manager-test-1.0-SNAPSHOT-jar-with-dependencies.jar

You’ll be ended up with the following error.

It complains that you don’t have the AWS-ACCESS_KEY and AWS_SECRET_KEY unable to load AWS credentials.

Overcome the issue using IAM roles.

Now lets create an IAM role so that my ec2 instance can access the AWS Secrets Manager and retrieve the stored secret values.

1. Go to Services -> IAM -> Roles → Create Role.
2. Select type of trusted entity as AWS service
3. Select EC2
4. Hit Next- Permissions.
5. Search for the permission policy “SecretsManagerReadWrite” and select.
6. Hit Next-Tags.
7. Add tags if you need hit Next.
8. Give a role name and hit Create Role.


Note - It would be if you can create a more granualar role, which can only read the AWS Secrets Manager, since the “SecretsManagerReadWrite” policy has more permissions than we required.
Next Goto → Services → EC2 → Instances → Actions → Instance Settings → Attach/Repalce IAM Role



Select the newly created role and apply.

Now let’s try to run our sample application copied to the AWS EC2 instance. You should be able to read the secrets.



So in this post we have discussed an important aspect of storing and retrieving secrets required for you applications. Since as per my experience this has become a chicken and egg problem, when comes to security the secrets and securing the master key which secure those secrets. I think using the Role approach will help to overcome this problem.

Please add your comments/thoughts if you think there are better ways to overcome this :) Sample Code Link

Monday, January 21, 2019

"React, Redux and Saga" Connecting the Dots.

"Viewer discretion advised" This article is written by a person who is very new to front-end programming with react and worked on backend development with number of years ;), and I’m quite fascinated about the UI work recently, since UI libraries are adopting some of the distributing computer theories/features used in middleware applications.

If you have worked with the angular, passing state within components is not as clean as you would have liked. In my personal opinion React handled the situation quite delicately.  Using React-Redux a centralized big static state object share within the whole application and, react-saga, a library which handles the application side effects, e.g. asynchronous actions. In this tutorial, we will build a react application which used the react, redux and saga. 

I will try to explain how the component interaction and state update works by using the sample I prepared for this post. The sample application uses react redux and saga. It is pretty straight forward, What it does is, it has a button which used to fetch all the users from executing a remote API call. See below diagram to simplify the concept behind the sample.


This is the simple workflow theory behind event dispatching, remote data fetching, state changes and propagate that changes to the UI. This cycle continues until the lifecycle of the component ends.

A . Denotes the UI action which resulted in a dispatch event. Below is sample code that fire up a dispatch event with the event name and the data used for the event. In this example we dispatch a UI event, to fetch all the users list. So we dispatch an event which is the type of ‘FETCH_USERS’

const mapDispatchToProps = (dispatch) => {
    return {
        fetchUsers : () => {
            dispatch({
                type: 'FETCH_USERS'
            })
        }};};

B. We have an API call defined to get all user data, from a mockable URL.
When the ‘FETCH_USERS’ event got fired, there is a UserSaga, listening for this type of events, and it will fire up the UserApi.getUsers.(). After receiving the data, it will fire up another event to update the store. See below code snippet in the UserSaga.js file

//Fetching the users list
const response = yield call(UserApi.getUsers);

// Then instructing the middleware to action to update the store.
        yield put({
            type: ACTION_TYPES.UI_ACTION.ON_USERS_DATA,
            data: response.data
        });

In UserSaga.js we have defined the takeEvery(pattern, saga, ...args), so whenever it matches the ‘FETCH_USERS’ pattern, it will dispatch the event, to update the store. Each call it will construct a new task for the matching event.

An application can have multiple sagas’s based on the requirement, so we pile them into one main saga, as in the MainSaga.js

C. Now comes to the store update section, as you saw on the step ‘B’ there is a new event fired to update the redux store, which is ‘ON_USERS_DATA’, so we have to catch that event and update the state change. For that we used the UserReducer.js
export default function userReducer(state = initialState, action) {
    switch (action.type) {
        case ACTION_TYPES.UI_ACTION.ON_USERS_DATA:
            return Object.assign({}, state, {userList: action.data});
        default:
            return state;
    }
}

Here we have updated the userList in the store object into the new data. Now the update of the redux store is complete.

D. Now we have to listen to that state update and handle the UI update in the render method, inside the Component. We will receive the update to the component via, mapStateToProps method.

const mapStateToProps = (state) => {
    return {
        users: state.userActions.userList
    };
};

Now the newly fetched, User List is visible to the UI. So now you have connected the dots, between react, redux and redux-saga. Hope you have gained some idea of how the component interaction works, and don’t forget to comment on your thoughts as well.

Source code for this sample can be found here. https://github.com/arunasujith/react-redux-saga-sample
Or you can try to create the project from scratch. First, install the create-react-app using below command.

npm i -g create-react-app

Now create a sample project.

create-react-app react-redux-saga-sample

Run the project using,

npm start

Need to install the following react libraries.

npm install --save axios
npm install --save redux
npm install --save redux-saga
npm install --save react-redux