# Lesson 3: Advanced Secrets Management in AWS with Python SDK

### Introduction

As we've learned in our previous lessons, AWS Secrets Manager is a powerful service that helps protect access to your applications, services, and IT resources. It allows you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. In this lesson, we're going to explore the advanced features of AWS Secrets Manager with Python's AWS SDK, Boto3.

### Generating a Random Password

One way to ensure that passwords are strong and secure is to generate a random password using AWS Secrets Manager. Let's see how we can accomplish this:


import boto3

# Initialize the Secrets Manager client
client = boto3.client('secretsmanager')

# Generate a simple random password
response_simple = client.get_random_password()
print("Simple Random Password:", response_simple['RandomPassword'])

# Generate a complex random password including special characters and without any ambiguous characters
response_complex = client.get_random_password(
  PasswordLength=20,                  # Specify length
  IncludeSpace=True,                  # Include space character
  RequireEachIncludedType=True,       # Require at least one character from each included type
  ExcludeCharacters="/@\" "           # Exclude specific characters
)
print("Complex Random Password:", response_complex['RandomPassword'])


In this piece of code, we first create a client with AWS Secrets Manager using the `boto3.client('secretsmanager')` call. Then, we call the `get_random_password()` function, which generates a random password. The function accepts numerous parameters for customization, such as `PasswordLength`, `ExcludeCharacters`, `ExcludeNumbers`, `ExcludePunctuation`, `ExcludeUppercase`, `ExcludeLowercase`, `IncludeSpace`, and `RequireEachIncludedType`.

### Listing All Secrets

AWS Secrets Manager provides a function to list all the secrets that are stored in it. The `list_secrets()` function returns a list of all secret information:


# List all secrets
response = client.list_secrets()

# Print each secret name
for secret in response['SecretList']:
    print("Secret Name:", secret['Name'])


### Tagging and Untagging Secrets

Tagging secrets can help with categorizing and managing secrets. The `tag_resource()` function is used to add tags to a secret. To remove tags, the `untag_resource()` function is used.


# Add tags to a secret
response = client.tag_resource(
    SecretId='MyTestSecretId',
    Tags=[
        {
            'Key': 'Environment',
            'Value': 'Production'
        },
    ]
)

# Remove tags from a secret
response = client.untag_resource(
    SecretId='MyTestSecretId',
    TagKeys=[
        'Environment',
    ]
)


### Working with Secret Versions and Stages

When managing secrets with AWS Secrets Manager, each secret can have multiple versions, and every version can have staging labels associated with it. By default, AWS Secrets Manager maintains two primary staging labels for secrets: `AWSCURRENT` for the current live version of the secret and `AWSPREVIOUS` for the directly preceding version. The `list_secret_version_ids` function, by default, lists versions that have staging labels, typically returning the two latest versions unless additional custom staging labels are manually assigned to other versions.

Let's see how to work with secret versions and stages:


# List versions of a secret that have staging labels
versions = client.list_secret_version_ids(SecretId='MyTestSecret')
print('Available versions of the Secret:', versions)

previous_secret_value = client.get_secret_value(SecretId='MyTestSecret', VersionStage='AWSPREVIOUS')['SecretString']
print('Previous Secret Value:', previous_secret_value)


This script demonstrates how to list versions that have staging labels and retrieve the value for a specific staging label. It's important to manage these versions and stages effectively to maintain the integrity of secret values across different environments and deployments.

### Secret Deletion and Restoration

Managing the lifecycle of secrets often involves deleting them when they're no longer needed. However, AWS Secrets Manager provides a safeguard against accidental deletion through its recovery features:


# Delete the secret
client.delete_secret(
    SecretId='MyTestSecret',
    ForceDeleteWithoutRecovery=False,  # Allows the secret to be recoverable for a specified period
    RecoveryWindowInDays=7             # Specifies the number of days within which the secret can be recovered
)

# Restore the secret within the recovery window
response_restore = client.restore_secret(
    SecretId='MyTestSecret',
)
print('Restored Secret:', response_restore)


In the deletion process, two key parameters are involved:

- **ForceDeleteWithoutRecovery**: When set to False, it enables the secret to be recoverable. The default value is False, meaning that, by default, secrets are recoverable, protecting against their permanent loss due to accidental deletion.
- **RecoveryWindowInDays**: Specifies the duration (in days) within which a deleted secret can be restored. The default recovery window is 30 days if this parameter is not specified, providing a generous period for recovery after deletion. In the example above, it's explicitly set to 7 days for demonstration purposes.

The ability to recover secrets provides a safety net, ensuring that critical secrets can be restored if they were deleted prematurely or in error. After a secret is deleted, but within the recovery window, the secret can be restored using the `restore_secret()` method, as demonstrated. If not restored within the recovery window, the secret will be permanently deleted and cannot be recovered.

### Summary

In this lesson, we've delved deeper into AWS Secrets Manager, exploring advanced concepts such as password generation, secret versioning, secret restoration, and secret tagging. Understanding these features allows you to utilize Secrets Manager to its full potential, securing your applications more effectively.

Now that we've covered these advanced concepts, it's time to apply what we've learned! The following exercises will give you practical experience with these features. Let's get started!

## All Advanced Secrets Manager Operations

Welcome to this task! You will be running a pre-existing Python script that exercises various operations with AWS Secrets Manager. This script demonstrates creating versions of a secret, updating the secret with both manually specified and randomly generated passwords, listing the secret versions, retrieving a secret's value by different version stages, managing secret tags, and restoring a deleted secret. The purpose of this task is to expose you to how these operations work within a real script. There's no need for you to write any code—your task is simply to run the script, observe its execution and understand what each part of the code is doing.

Important Note: Executing scripts can alter resources within our AWS simulator. To return to the initial state, you may use the reset button located in the top right corner. It is important to note, however, that resetting will remove any code modifications. To safeguard your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the Secrets Manager client
client = boto3.client('secretsmanager')

# Create a new secret version 1
client.create_secret(Name='MyPassword', SecretString='simple password 1')

# Update the secret to version 2
client.update_secret(SecretId='MyPassword', SecretString='simple password 2')

# Generate a strong random password for version 3
strong_password = client.get_random_password(PasswordLength=16)['RandomPassword']

# Update the secret to version 3 and use the generated password
updated_secret_v3 = client.update_secret(SecretId='MyPassword', SecretString=strong_password)

# List Secret versions
versions_response = client.list_secret_version_ids(SecretId='MyPassword')
print('Versions of Secret:', versions_response['Versions']) # Note that only the 2 last versions are returned!

# Retrieve the previous value of the secret using the AWSPREVIOUS staging label
previous_secret_value = client.get_secret_value(SecretId='MyPassword', VersionStage='AWSPREVIOUS')['SecretString']
print('\nPrevious Secret Value (version 2):', previous_secret_value)

# Delete the secret
client.delete_secret(
    SecretId='MyPassword',
    ForceDeleteWithoutRecovery=False,
    RecoveryWindowInDays=7
)

# Restore the secret
response_restore = client.restore_secret(SecretId='MyPassword')
print('\nRestored Secret:', response_restore)

# Tag the secret
response_tag = client.tag_resource(
    SecretId='MyPassword',
    Tags=[{'Key': 'Environment', 'Value': 'Test'}]
)
print('\nTagged Secret:', response_tag)

# Remove tag from the secret
response_untag = client.untag_resource(
    SecretId='MyPassword',
    TagKeys=['Environment']
)
print('\nUntagged Secret:', response_untag)

```

Abacus AI ChatLLM:
It looks like you're ready to run a Python script that interacts with AWS Secrets Manager. This script performs several operations, including creating and updating secrets, generating random passwords, listing secret versions, retrieving secret values, managing tags, and restoring a deleted secret. 

Here's a brief overview of what each part of the script does:

1. **Initialize the Secrets Manager Client**: The script starts by creating a client for AWS Secrets Manager using Boto3.

2. **Create a New Secret**: It creates a new secret named "MyPassword" with an initial value of "simple password 1".

3. **Update the Secret**: The secret is updated to a new value, "simple password 2".

4. **Generate a Strong Random Password**: A strong random password is generated for the next version of the secret.

5. **Update the Secret with the Generated Password**: The secret is updated again, this time using the randomly generated strong password.

6. **List Secret Versions**: The script lists the versions of the secret, noting that only the last two versions are returned.

7. **Retrieve Previous Secret Value**: It retrieves the value of the previous version of the secret using the `AWSPREVIOUS` staging label.

8. **Delete the Secret**: The secret is deleted, but it can be recovered within a specified recovery window.

9. **Restore the Secret**: The script restores the deleted secret.

10. **Tag the Secret**: A tag is added to the secret to categorize it.

11. **Remove Tag from the Secret**: The tag is removed from the secret.

As you run the script, observe the output at each step to understand how AWS Secrets Manager handles these operations. If you need to reset the environment after running the script, remember to use the reset button to return to the initial state. If you have any questions about specific parts of the script or its output, feel free to ask!

## Enhancing Password Complexity for AWS Secrets

In this task, you will be working with the AWS Secrets Manager to create a new secret with a random password. Initially, you are provided with a Python script that generates a very simple string which is used as a password for a new Secret. However, this implementation isn't very secure. Your task is to adjust the existing code to ensure that the generated password is more complex, specifically it should be 16 characters long, including both lower and upper case characters, and without the specific characters @, #, ", and /. Also, note that we do not want to include any punctuation characters in the generated password.

Important Note: Executing scripts can change the state of resources within our AWS simulator. In order to revert to the initial state, you can use the rest button located in the top right corner. However, keep in mind that resetting will erase any code modifications. Therefore, to maintain your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the Secrets Manager client
client = boto3.client('secretsmanager')

# Generate a simple random password
new_password = client.get_random_password(PasswordLength=8)['RandomPassword']

# Create a new secret with the generated password
response_create = client.create_secret(
    Name='MyTestSecret',
    SecretString='{"username":"test", "password":"' + new_password + '"}'
)

print('Created Secret:', response_create)

```

Abacus AI ChatLLM:
To enhance the security of the password generated for the new secret in AWS Secrets Manager, you can modify the existing script to generate a more complex password that meets your specified criteria. The new password should be 16 characters long, include both lower and upper case characters, and exclude the characters @, #, ", and /. Additionally, it should not contain any punctuation characters.

Here’s the adjusted Python script:


import boto3

# Initialize the Secrets Manager client
client = boto3.client('secretsmanager')

# Generate a complex random password
new_password = client.get_random_password(
    PasswordLength=16,                  # Specify length
    ExcludeCharacters='@#"/',           # Exclude specific characters
    ExcludePunctuation=True,            # Exclude punctuation characters
    RequireEachIncludedType=True         # Require at least one character from each included type
)['RandomPassword']

# Create a new secret with the generated password
response_create = client.create_secret(
    Name='MyTestSecret',
    SecretString='{"username":"test", "password":"' + new_password + '"}'
)

print('Created Secret:', response_create)


### Key Changes Made:

1. **Password Length**: Changed `PasswordLength` to 16 to meet the requirement for a longer password.

2. **Character Exclusions**: Specified `ExcludeCharacters='@#"/'` to exclude the specified characters.

3. **Punctuation Exclusion**: Set `ExcludePunctuation=True` to ensure no punctuation characters are included.

4. **Character Type Requirement**: Added `RequireEachIncludedType=True` to ensure that the password includes both upper and lower case characters.

This updated script will create a new secret in AWS Secrets Manager with a more secure password. As always, remember to use the reset button if you need to revert to the initial state after executing the script. If you have any questions or need further modifications, feel free to ask!

## Updating Secrets with Auto-Generated Passwords

Cosmo, our lovable CodeSignal Learn mascot, has a secret he wants to secure and ensure its safety. He decided to auto-generate a highly secure password. Your task is to update this password using AWS Secret Manager. Initially, you are given a script that creates a secret with a basic password. You need to modify the script to update the password with an auto-generated one.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret with a simple password
response = sm.create_secret(Name='CosmoSecret', SecretString='simplePassword')

# TODO: Generate a new highly secure password
# TODO: Update the secret with the new password
```

Abacus AI ChatLLM:
To update the existing secret with a highly secure password using AWS Secrets Manager, you can modify the provided script to generate a complex password and then update the secret with this new password. Below is the updated script that accomplishes this:


import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret with a simple password
response = sm.create_secret(Name='CosmoSecret', SecretString='simplePassword')

# Generate a new highly secure password
new_password = sm.get_random_password(
    PasswordLength=16,                  # Specify length
    ExcludeCharacters='@#"/',           # Exclude specific characters
    ExcludePunctuation=True,            # Exclude punctuation characters
    RequireEachIncludedType=True         # Require at least one character from each included type
)['RandomPassword']

# Update the secret with the new password
response_update = sm.update_secret(
    SecretId='CosmoSecret',
    SecretString='{"username":"cosmo", "password":"' + new_password + '"}'
)

print('Updated Secret:', response_update)


### Key Changes Made:

1. **Password Generation**: The script now generates a new secure password using `get_random_password()` with specified parameters to ensure it meets security requirements.

2. **Secret Update**: The `update_secret()` method is used to update the existing secret with the new password, formatted as a JSON string.

This updated script will create a new secret initially and then update it with a highly secure password. As always, remember to use the reset button if you need to revert to the initial state after executing the script. If you have any questions or need further modifications, feel free to ask!

## Tagging Secrets with Creator Information

Our mascot, Cosmo, has many secrets he needs to manage! In this activity, you'll help him keep things organized by tagging his secrets. Initially, you're given a Python script that creates a secret. You need to add to this script and make it tag the secret, indicating that Cosmo is the creator. By tagging secrets, you can classify and manage them more efficiently, depending on your organizational needs.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret 
response = sm.create_secret(Name='CosmosSecret', SecretString='mysecret')

# TO DO: Tag the secret with Cosmo as the creator
```

Abacus AI ChatLLM:
To tag the secret created for Cosmo, you can modify the provided script to include a tagging operation after the secret is created. Below is the updated script that accomplishes this by tagging the secret to indicate that Cosmo is the creator:


import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret
response = sm.create_secret(Name='CosmosSecret', SecretString='mysecret')

# Tag the secret with Cosmo as the creator
response_tag = sm.tag_resource(
    SecretId='CosmosSecret',
    Tags=[
        {
            'Key': 'Creator',
            'Value': 'Cosmo'
        }
    ]
)

print('Tagged Secret:', response_tag)


### Key Changes Made:

1. **Tagging the Secret**: The `tag_resource()` method is used to add a tag to the secret, specifying "Creator" as the key and "Cosmo" as the value.

This updated script will create a new secret and then tag it appropriately, helping to keep Cosmo's secrets organized. As always, remember to use the reset button if you need to revert to the initial state after executing the script. If you have any questions or need further modifications, feel free to ask!

## Retrieving Different Versions of a Secret

Great job managing Cosmo's secrets so far! Now, let's delve into managing secret versions more intricately. Given an initial Python script that creates a secret and then updates it twice, your task is to retrieve and print 2 latest version IDs of the secret. Then, specifically target and print the value of the secret marked with the AWSPREVIOUS staging label.

AWS Secrets Manager uses staging labels to help you manage different versions of a secret. The AWSCURRENT label always points to the current version of the secret, while AWSPREVIOUS points to the version before the current one. This feature is particularly useful for rolling back changes or maintaining an understanding of a secret's history.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret
response = sm.create_secret(Name='CosmosSecret', SecretString='secret1')

# Update the secret twice
sm.update_secret(SecretId='CosmosSecret', SecretString='secret2')
sm.update_secret(SecretId='CosmosSecret', SecretString='secret3')

# TO DO: List and print 2 latest version IDs of the secret
# TO DO: Retrieve and print the value of the version of the secret labeled as AWSPREVIOUS
```

Abacus AI ChatLLM:
To manage the secret versions and retrieve the necessary information, you can modify the provided script to list the latest version IDs and retrieve the value of the secret marked with the `AWSPREVIOUS` staging label. Below is the updated script that accomplishes this:


import boto3

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret
response = sm.create_secret(Name='CosmosSecret', SecretString='secret1')

# Update the secret twice
sm.update_secret(SecretId='CosmosSecret', SecretString='secret2')
sm.update_secret(SecretId='CosmosSecret', SecretString='secret3')

# List and print 2 latest version IDs of the secret
versions_response = sm.list_secret_version_ids(SecretId='CosmosSecret')
latest_versions = versions_response['Versions'][:2]  # Get the two latest versions

print('Latest Version IDs:')
for version in latest_versions:
    print(version['VersionId'])

# Retrieve and print the value of the version of the secret labeled as AWSPREVIOUS
previous_secret_value = sm.get_secret_value(SecretId='CosmosSecret', VersionStage='AWSPREVIOUS')['SecretString']
print('\nPrevious Secret Value (AWSPREVIOUS):', previous_secret_value)


### Key Changes Made:

1. **List Latest Version IDs**: The script uses `list_secret_version_ids()` to retrieve the version IDs of the secret and prints the two latest version IDs.

2. **Retrieve Previous Secret Value**: It retrieves the value of the secret marked with the `AWSPREVIOUS` staging label using `get_secret_value()` and prints it.

This updated script will help you manage and understand the versions of Cosmo's secret effectively. As always, remember to use the reset button if you need to revert to the initial state after executing the script. If you have any questions or need further modifications, feel free to ask!

## Restoring a Deleted Secret

Being a mascot is a tough job, and sometimes in the hustle and bustle, Cosmo can accidentally delete secrets he still needs. Luckily, deleted secrets are not immediately removed and can be restored within a certain time period. Faced with such a situation, your task is to help Cosmo out by completing a Python script that restores a secret that was just deleted.

Important Note: Running scripts can modify the resources in our AWS simulator. To revert to the initial state, you can use the reset button located in the top right corner. However, keep in mind that resetting will erase any code changes. To preserve your code during a reset, consider copying it to the clipboard.

```python
import boto3
import time

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret
response = sm.create_secret(Name='CosmosSecret', SecretString='mysecret')

# Delete the secret
sm.delete_secret(SecretId='CosmosSecret', RecoveryWindowInDays=7)

# TO DO: Restore the deleted secret

```

Abacus AI ChatLLM:
To restore a deleted secret in AWS Secrets Manager, you can complete the provided script by using the `restore_secret()` method. Below is the updated script that accomplishes this:


import boto3
import time

# Initialize the boto3 Secrets Manager client
sm = boto3.client('secretsmanager')

# Create a new secret
response = sm.create_secret(Name='CosmosSecret', SecretString='mysecret')

# Delete the secret
sm.delete_secret(SecretId='CosmosSecret', RecoveryWindowInDays=7)

# Restore the deleted secret
response_restore = sm.restore_secret(SecretId='CosmosSecret')

print('Restored Secret:', response_restore)


### Key Changes Made:

1. **Restore the Deleted Secret**: The script uses the `restore_secret()` method to restore the secret that was deleted. 

2. **Print Confirmation**: It prints the response from the restore operation to confirm that the secret has been successfully restored.

This updated script will help Cosmo recover his deleted secret within the specified recovery window. As always, remember to use the reset button if you need to revert to the initial state after executing the script. If you have any questions or need further modifications, feel free to ask!