# Lesson 2: Mastering AWS Secrets Manager with Boto3: Creating, Retrieving, and Rotating Secrets

### Introduction

Welcome to the first lesson in the course, "AWS Secrets Management with AWS SDK for Python." In this lesson, we delve deeper into three prime AWS Services: AWS Secrets Manager, AWS Systems Manager Parameter Store (SSM), and AWS Key Management Service (KMS). This study sets the foundation for advanced AWS services management.

### Understanding AWS Secrets Manager

The AWS Secrets Manager is a secrets management service that protects access to your applications, services, and IT resources. This service doesn't necessitate the upfront investment or ongoing maintenance costs of operating your own infrastructure. With Secrets Manager, you can manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. This arrangement enables you to automate and securely manage the secrets used in your applications while eliminating the upfront and maintenance-heavy chores.

For more information, refer to the [AWS Secrets Manager Documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).

### Overview of AWS Systems Manager Parameter Store (SSM)

The AWS Systems Manager Parameter Store (SSM) provides secure, hierarchical storage for configuration data management and secrets management. It can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can then use these parameters throughout your AWS infrastructure, in your AWS CloudFormation templates, and during your Systems Manager runbook executions.

For more information, refer to the [AWS Systems Manager Parameter Store Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html).

### Introduction to AWS Key Management Service (KMS)

The AWS Key Management Service (KMS) is a managed service that simplifies the creation and control of the cryptographic keys used to encrypt your data. The AWS Key Management Service is integrated with other AWS services, thus making it easier to encrypt data and manage keys.

For more information, refer to the [AWS Key Management Service Documentation](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).

### Setting up Boto3 Clients

The provided solution code illuminates how to configure Boto3 to work with the services we've just discussed. Let's delve deeper into this process.


import boto3

# Create default Secrets Manager client
secrets_manager_default = boto3.client('secretsmanager')

# Create default Parameter Store (SSM) client
ssm_default = boto3.client('ssm')

# Create default KMS client
kms_default = boto3.client('kms')


Here, we utilize the `boto3.client` method to set up "default" clients for AWS Secrets Manager, SSM, and KMS. These are referred to as "default" because they use the default AWS credentials present in your environment, without any specific configuration.

For scenarios when you need to customize your AWS credentials (like to interact with resources in a different AWS region or using different access keys), you can establish custom clients with a custom session.


# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# Create Secrets Manager client based on this session
secrets_manager_custom = my_session.client('secretsmanager')

# Create Parameter Store (SSM) client based on this session
ssm_custom = my_session.client('ssm')

# Create KMS client based on this session
kms_custom = my_session.client('kms')


We first create a `boto3.Session` by providing our `aws_access_key_id`, `aws_secret_access_key`, and the `region_name`. We then initiate clients for Secrets Manager, Parameter Store (SSM), and KMS using this customized session.

### Summary and Next Steps

We started by introducing you to three vital services for managing secrets on AWS: the AWS Secrets Management, Systems Manager Parameter Store (SSM), and AWS Key Management Service (KMS). Then, we learned how to use Boto3 to establish a client for each of these services—both with default configuration and a custom session. The knowledge gained from this lesson is essential for further exploration into secrets management. In subsequent lessons, expect a more in-depth venture into each of these AWS services. Keep an eye out and enjoy your learning!

## Working with AWS Secrets Manager

Welcome to the first exercise of this course! As explained in the lesson, AWS offers multiple services for managing secrets, such as AWS Secrets Manager, AWS Systems Manager Parameter Store (SSM), and AWS Key Management Service (KMS). These services can be utilized via the Boto3 SDK. They must first be initialized as clients before you can start using them. Your task is to run a Python script that initializes these clients both in their default manner and through a custom session. Simply run the code, verify that it initializes the services by observing the print statements, and ensure that you are getting no errors.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Create default Secrets Manager client
secrets_manager_default = boto3.client('secretsmanager')
print("Default Secrets Manager client initialized.")

# Create default Parameter Store (SSM) client
ssm_default = boto3.client('ssm')
print("Default Parameter Store (SSM) client initialized.")

# Create default KMS client
kms_default = boto3.client('kms')
print("Default KMS client initialized.")

# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# Create Secrets Manager client based on this session
secrets_manager_custom = my_session.client('secretsmanager')
print("Custom Secrets Manager client initialized.")

# Create Parameter Store (SSM) client based on this session
ssm_custom = my_session.client('ssm')
print("Custom Parameter Store (SSM) client initialized.")

# Create KMS client based on this session
kms_custom = my_session.client('kms')
print("Custom KMS client initialized.")

```

Abacus AI ChatLLM:
### Welcome to the First Exercise

As explained in the lesson, AWS offers multiple services for managing secrets, such as AWS Secrets Manager, AWS Systems Manager Parameter Store (SSM), and AWS Key Management Service (KMS). These services can be utilized via the Boto3 SDK. They must first be initialized as clients before you can start using them. Your task is to run a Python script that initializes these clients both in their default manner and through a custom session. Simply run the code, verify that it initializes the services by observing the print statements, and ensure that you are getting no errors.

**Important Note:** Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.


import boto3

# Create default Secrets Manager client
secrets_manager_default = boto3.client('secretsmanager')
print("Default Secrets Manager client initialized.")

# Create default Parameter Store (SSM) client
ssm_default = boto3.client('ssm')
print("Default Parameter Store (SSM) client initialized.")

# Create default KMS client
kms_default = boto3.client('kms')
print("Default KMS client initialized.")

# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# Create Secrets Manager client based on this session
secrets_manager_custom = my_session.client('secretsmanager')
print("Custom Secrets Manager client initialized.")

# Create Parameter Store (SSM) client based on this session
ssm_custom = my_session.client('ssm')
print("Custom Parameter Store (SSM) client initialized.")

# Create KMS client based on this session
kms_custom = my_session.client('kms')
print("Custom KMS client initialized.")


Run the script and check the output for confirmation that all clients have been initialized successfully.

## Creating a Secret in AWS Secrets Manager Secret

In this task, you will authenticate with AWS using custom credentials. The task presents you with a Python script that already creates a custom session. Your task is to complete the script by creating custom clients for AWS Secrets Manager, SSM, and KMS using the already established custom session. This will help you understand how to create custom clients using a custom session, which is important for needing custom configurations, such as when interacting with resources in a different AWS region.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top-right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# TODO: Create Secrets Manager client based on this session

# TODO: Create Parameter Store (SSM) client based on this session

# TODO: Create KMS client based on this session

```

Abacus AI ChatLLM:
### Task: Complete the Python Script

In this task, you will authenticate with AWS using custom credentials. The provided Python script already creates a custom session. Your task is to complete the script by creating custom clients for AWS Secrets Manager, SSM, and KMS using the established custom session. This will help you understand how to create custom clients using a custom session, which is important for needing custom configurations, such as when interacting with resources in a different AWS region.

**Important Note:** Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top-right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

Here’s the updated script with the necessary client creations:


import boto3

# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# Create Secrets Manager client based on this session
secrets_manager_custom = my_session.client('secretsmanager')
print("Custom Secrets Manager client initialized.")

# Create Parameter Store (SSM) client based on this session
ssm_custom = my_session.client('ssm')
print("Custom Parameter Store (SSM) client initialized.")

# Create KMS client based on this session
kms_custom = my_session.client('kms')
print("Custom KMS client initialized.")


Run the completed script to initialize the custom clients for AWS Secrets Manager, SSM, and KMS. Check the output to confirm that all clients have been initialized successfully.

## Rotating AWS Secrets with Boto3

## Deleting a Secret

## Mastering AWS Secrets Manager: Write it all!

Time to validate your knowledge! Write a Python script to initialize default clients for AWS Secrets Manager, Parameter Store (SSM), and Key Management System (KMS). Then, create a custom boto3 session and initialize custom clients for these three AWS services using the session. Ensure you are creating the session with 'test' as both aws_access_key_id and aws_secret_access_key, and 'us-west-2' as the region_name. In this task, you will showcase your understanding of creating both default and custom clients for managing secrets on AWS.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# TODO: Create default Secrets Manager client

# TODO: Create default Parameter Store (SSM) client

# TODO: Create default KMS client

# TODO: Create custom session

# TODO: Create Secrets Manager client based on this session

# TODO: Create Parameter Store (SSM) client based on this session

# TODO: Create KMS client based on this session
```

Abacus AI ChatLLM:
### Task: Write a Python Script for AWS Clients

In this task, you will validate your knowledge by writing a Python script to initialize default clients for AWS Secrets Manager, Parameter Store (SSM), and Key Management Service (KMS). You will also create a custom Boto3 session and initialize custom clients for these three AWS services using the session. Ensure you create the session with 'test' as both `aws_access_key_id` and `aws_secret_access_key`, and 'us-west-2' as the `region_name`. This will showcase your understanding of creating both default and custom clients for managing secrets on AWS.

**Important Note:** Running scripts can modify the resources in our AWS simulator. To revert to the initial state, use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

Here’s the completed script:


import boto3

# Create default Secrets Manager client
secrets_manager_default = boto3.client('secretsmanager')
print("Default Secrets Manager client initialized.")

# Create default Parameter Store (SSM) client
ssm_default = boto3.client('ssm')
print("Default Parameter Store (SSM) client initialized.")

# Create default KMS client
kms_default = boto3.client('kms')
print("Default KMS client initialized.")

# Create custom session
my_session = boto3.Session(
    aws_access_key_id='test',
    aws_secret_access_key='test',
    region_name='us-west-2'
)

# Create Secrets Manager client based on this session
secrets_manager_custom = my_session.client('secretsmanager')
print("Custom Secrets Manager client initialized.")

# Create Parameter Store (SSM) client based on this session
ssm_custom = my_session.client('ssm')
print("Custom Parameter Store (SSM) client initialized.")

# Create KMS client based on this session
kms_custom = my_session.client('kms')
print("Custom KMS client initialized.")


Run this script to initialize both default and custom clients for AWS Secrets Manager, SSM, and KMS. Check the output to confirm that all clients have been initialized successfully.