## Exploring AWS Secrets Manager

In [1]:
import boto3

In [2]:
sm_client = boto3.client(
    'secretsmanager',
    region_name='us-east-1'
)

In [3]:
sm_client.list_secrets()

{'SecretList': [{'ARN': 'arn:aws:secretsmanager:us-east-1:582845781536:secret:appflow!582845781536-DurgaDevSandbox-annTIb',
   'Name': 'appflow!582845781536-DurgaDevSandbox',
   'Description': 'appflow owned service linked secret created for connector profile [DurgaDevSandbox]  and account [582845781536]. Deleting the secret will fail execution for associated active flows.',
   'KmsKeyId': 'arn:aws:kms:us-east-1:582845781536:key/19f89f18-1f2a-471b-b639-e843f5bad624',
   'LastChangedDate': datetime.datetime(2022, 5, 11, 13, 10, 47, 817000, tzinfo=tzlocal()),
   'LastAccessedDate': datetime.datetime(2021, 3, 10, 5, 30, tzinfo=tzlocal()),
   'Tags': [{'Key': 'aws:secretsmanager:owningService', 'Value': 'appflow'}],
   'SecretVersionsToStages': {'17cbc10c-8091-47da-b539-eda5ceb98bf2': ['AWSCURRENT']},
   'OwningService': 'appflow',
   'CreatedDate': datetime.datetime(2021, 3, 11, 2, 41, 20, 376000, tzinfo=tzlocal())},
  {'ARN': 'arn:aws:secretsmanager:us-east-1:582845781536:secret:appflow!

In [4]:
sm_client.create_secret?

[0;31mSignature:[0m [0msm_client[0m[0;34m.[0m[0mcreate_secret[0m[0;34m([0m[0;34m*[0m[0margs[0m[0;34m,[0m [0;34m**[0m[0mkwargs[0m[0;34m)[0m[0;34m[0m[0;34m[0m[0m
[0;31mDocstring:[0m
Creates a new secret. A *secret* can be a password, a set of credentials such as a user name and password, an OAuth token, or other secret information that you store in an encrypted form in Secrets Manager. The secret also includes the connection information to access a database or other service, which Secrets Manager doesn't encrypt. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.

 

For information about creating a secret in the console, see `Create a secret <https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html>`__ .

 

To create a secret, you can provide the secret value to be encrypted in either the ``SecretString`` parameter or the ``SecretBinary`` parame

In [7]:
token = open('../.credentials/token.pickle', 'rb').read()

In [None]:
sm_client.create_secret(
    Name='gmail_token',
    SecretBinary=token
)

In [None]:
sm_client.update_secret(
    SecretId='gmail_token',
    SecretBinary=token
)

In [None]:
sm_client.get_secret_value?

In [None]:
secret_token = sm_client.get_secret_value(SecretId='gmail_token')['SecretBinary']

In [None]:
import pickle

In [None]:
creds = pickle.loads(secret_token)

In [None]:
creds

In [None]:
from googleapiclient.discovery import build

In [None]:
service = build('gmail', 'v1', credentials=creds)

In [None]:
users = service.users()

In [None]:
messages = users.messages().list(userId='me').execute()

In [None]:
messages

Here are some of the key interview topics on secrets manager:
* Purpose of secrets manager
* Use cases of secrets manager
* Secret Rotation for AWS RDS Credentials

The question also might be in the form of "How did you manage or pass credentials required for your application to connect to external databases or other applications"?

Here is another exercise for secrets manager.

Your application need to connect to a remote postgres database with following information:
* Host: pg.itversity.com
* Port: 5432
* Database: retail_db
* Username: retail_user
* Password: DGeSSTl04j

Create secret using AWS Console and understand how to read it back from the application. You can follow [this article](https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/) to get step by step instructions.