### Install Rust Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Installs Rust using the official installation script. Follow on-screen instructions for configuration. ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # Follow the on-screen instructions . "$HOME/.cargo/env" ``` -------------------------------- ### Dockerfile for Client Application Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md This Dockerfile uses the latest Debian image and sets up the Workload Credentials Provider binary. It installs necessary certificates and configures the entry point to start the provider. ```dockerfile FROM debian:latest WORKDIR /app COPY aws-workload-credentials-provider . RUN apt-get update && apt-get install -y ca-certificates ENTRYPOINT ["./aws-workload-credentials-provider", "sm", "start"] ``` -------------------------------- ### Install ASCP Add-on with eksctl Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP add-on using eksctl with default configuration. Ensure you have eksctl installed and configured for your cluster. ```bash eksctl create addon --cluster --name aws-secrets-store-csi-driver-provider ``` -------------------------------- ### Example Pre-fetch Configuration with Tag-Based Discovery Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Configure pre-fetching by discovering secrets based on tag keys. This example sets the cache buffer ratio and specifies two tag keys ('Environment' and 'Team') for discovery. ```toml [capabilities.secrets_manager.prefetch] cache_buffer_ratio = 0.8 filter_tags = [ { key = "Environment" }, { key = "Team" }, ] ``` -------------------------------- ### Install build-essential on Debian Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Installs the necessary build tools for Debian-based systems like Ubuntu. ```bash sudo apt install build-essential ``` -------------------------------- ### Install ASCP using Helm with Throttling Configuration Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP chart using Helm, configuring throttling parameters for Kubernetes. Replace `{{number of queries per second}}` with the desired QPS and burst values. ```bash helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws --set-json 'k8sThrottlingParams={"qps": "{{number of queries per second}}", "burst": "{{number of queries per second}}"}' ``` -------------------------------- ### Example Pre-fetch Configuration with Explicit Secrets Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Configure pre-fetching for specific secrets by listing their IDs or ARNs. This example sets the cache buffer ratio and maximum jitter seconds, then lists two secrets to pre-fetch. ```toml [capabilities.secrets_manager.prefetch] cache_buffer_ratio = 0.6 max_jitter_seconds = 5 secrets = [ { secret_id = "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-AbCdEf" }, { secret_id = "MyOtherSecret" }, ] ``` -------------------------------- ### Install ASCP Add-on with AWS CLI and Configuration Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP add-on using the AWS CLI, allowing for custom configuration via a YAML or JSON file. The configuration file path should be specified using 'file://'. ```bash aws eks create-addon --cluster-name --addon-name aws-secrets-store-csi-driver-provider --configuration-values 'file://path/to/config.yaml' ``` -------------------------------- ### Install ASCP using Helm Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP chart using Helm. Ensure your Helm repository is updated with `helm repo update` before running this command. ```bash helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws ``` -------------------------------- ### Install ASCP using Helm, Skipping Secrets Store CSI Driver Dependency Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP chart using Helm, skipping the installation of the Secrets Store CSI Driver as a dependency. Use this if the driver is already installed on your cluster. ```bash helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws --set secrets-store-csi-driver.install=false ``` -------------------------------- ### Install cargo-xwin for cross-compilation Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Installs the cargo-xwin utility, which is used for cross-compiling Rust projects for Windows from a non-Windows host. ```bash cargo install cargo-xwin ``` -------------------------------- ### Build and Package Lambda Layer Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Builds the release binary, copies it and an example script into respective folders, and zips them to create a Lambda layer package. ```bash cargo build --release --target=x86_64-unknown-linux-gnu mkdir -p ./bin cp ./target/x86_64-unknown-linux-gnu/release/aws-workload-credentials-provider ./bin/aws-workload-credentials-provider mkdir -p ./extensions cp aws_secretsmanager_provider/examples/example-lambda-extension/secrets-manager-provider-extension.sh ./extensions zip secrets-manager-provider-extension.zip bin/* extensions/* ``` -------------------------------- ### Install Development Tools on RPM-based Systems Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Installs the Development Tools group on RPM-based systems like AL2023. ```bash sudo yum -y groupinstall "Development Tools" ``` -------------------------------- ### Example Pre-fetch Configuration with Cross-Account Access Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Configure pre-fetching for secrets across different AWS accounts using role ARNs. This example combines explicit secrets and tag-based discovery, specifying a role ARN for each. ```toml [capabilities.secrets_manager.prefetch] cache_buffer_ratio = 0.6 max_jitter_seconds = 5 secrets = [ { secret_id = "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-AbCdEf" }, { secret_id = "cross-account-secret", role_arn = "arn:aws:iam::987654321098:role/SecretAccessRole" }, ] filter_tags = [ { key = "Environment" }, { key = "Team", role_arn = "arn:aws:iam::987654321098:role/SecretAccessRole" }, ] ``` -------------------------------- ### Install ASCP using Helm with FIPS Endpoint Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the ASCP chart using Helm, enabling the use of a FIPS endpoint by setting the `useFipsEndpoint` flag to `true`. ```bash helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws --set useFipsEndpoint=true ``` -------------------------------- ### Install aws-secretsmanager-caching Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.md Use this command to install the Python caching component. Ensure you have Python 3.6 or later, botocore 1.12 or higher, and setuptools_scm 3.2 or higher. ```bash $ pip install aws-secretsmanager-caching ``` -------------------------------- ### Install Secrets Store CSI Driver and ASCP Provider using Helm and kubectl Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Installs the Secrets Store CSI Driver using Helm and then applies the ASCP provider using a raw YAML file from GitHub. Ensure Helm repository is updated. ```bash helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml ``` -------------------------------- ### Examples of IPv6 Addresses Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ip-access.md Illustrates different formats of IPv6 addresses, including full, abbreviated, and compressed versions. ```text 2001:cdba:0000:0000:0000:0000:3257:9652 # This is a full, unabbreviated IPv6 address. 2001:cdba:0:0:0:0:3257:9652 # The same address with leading zeros in each group omitted 2001:cdba::3257:965 # A compressed version of the same address. ``` -------------------------------- ### Example Output: libpq version 14.x (alternative formatting) Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.md This output, similar to the previous one but with slightly different spacing, also confirms the use of PostgreSQL-14.x, indicating support for SCRAM-SHA-256 encryption. ```text 0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild- a1b2c/workspace/build/PostgreSQL/PostgreSQL- 14.x_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil- path/build.libfarm/lib:/local/p4clients/pkgbuild- a1b2c/workspace/src/PostgreSQL/build/private/install/lib] ``` -------------------------------- ### Example Output: libpq version 14.x Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.md This output indicates that the rotation function uses a recent version of libpq (14.x) that supports SCRAM-SHA-256 encryption. This is a valid configuration for SCRAM-SHA-256. ```text 0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild- a1b2c /workspace/build/PostgreSQL/PostgreSQL-14.x_client_only. 123456 .0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild- a1b2c /workspace/src/PostgreSQL/build/private/install/lib] ``` -------------------------------- ### Example Nested Configuration File Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md A sample TOML configuration file demonstrating nested settings for logging and Secrets Manager capabilities. This includes setting the log level and enabling file logging. ```toml [logging] log_level = "INFO" log_to_file = true ``` -------------------------------- ### Example Output: libpq version >= 10 Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.md This output indicates that the rotation function uses a version of libpq that supports SCRAM-SHA-256 encryption. No action is needed for SCRAM-SHA-256 compatibility. ```text 0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/{{PostgreSQL-10.x}}_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib] ``` -------------------------------- ### Example Output: libpq version < 10 Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.md This output indicates that the rotation function uses an older version of libpq that does not support SCRAM-SHA-256 encryption. Recreating the rotation function is necessary to support SCRAM-SHA-256. ```text 0x000000000000001d (RUNPATH) Library runpath: [/local/p4clients/pkgbuild-a1b2c/workspace/build/PostgreSQL/{{PostgreSQL-9.4.x}}_client_only.123456.0/AL2_x86_64/DEV.STD.PTHREAD/build/private/tmp/brazil-path/build.libfarm/lib:/local/p4clients/pkgbuild-a1b2c/workspace/src/PostgreSQL/build/private/install/lib] ``` -------------------------------- ### Verify ASCP Plugin Pods Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Verifies the installation of the ASCP plugin by checking for running pods labeled `app=csi-secrets-store-provider-aws` in the `kube-system` namespace. The output should show pods in a 'Running' state. ```bash kubectl get pods -n kube-system -l app=csi-secrets-store-provider-aws ``` -------------------------------- ### Deploy Example Application Pod Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-pod-identity-integration.md This command deploys a sample application pod that mounts secrets from Secrets Manager using the configured SecretProviderClass. Ensure the SecretProviderClass is correctly set up for Pod Identity. ```bash kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleDeployment-PodIdentity.yaml ``` -------------------------------- ### Retrieve a secret using Go with caching Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-go.md This Go code example demonstrates a Lambda function that retrieves a secret string using the AWS Secrets Manager caching component. Ensure the AWS SDK for Go is installed and necessary IAM permissions are granted. ```go package main import ( "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-secretsmanager-caching-go/v2/secretcache" ) var ( secretCache, _ = secretcache.New() ) func HandleRequest(secretId string) string { result, _ := secretCache.GetSecretString(secretId) {{// Use the secret, return success}} } func main() { lambda. Start( HandleRequest) } ``` -------------------------------- ### Verify SecretProviderClass CRD Installation Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_ascp_irsa.md Check if the SecretProviderClass Custom Resource Definition (CRD) is installed in your cluster. ```bash kubectl get crd secretproviderclasses.secrets-store.csi.x-k8s.io ``` -------------------------------- ### Instantiate Cache with Custom Configuration and Client (Rust) Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-rust.md This example shows how to configure the cache with a custom AWS SDK client and region before retrieving a secret. It allows for more control over the caching behavior and underlying client. ```rust let config = aws_config::load_defaults(BehaviorVersion::latest()) .await .into_builder() .region(Region::from_static("us-west-2")) .build(); let asm_builder = aws_sdk_secretsmanager::config::Builder::from(&config); let client = match SecretsManagerCachingClient::from_builder( asm_builder, NonZeroUsize::new(10).unwrap(), Duration::from_secs(60), ) .await { Ok(c) => c, Err(_) => panic!("Handle this error"), }; let secret_string = client .get_secret_value("MyTest", None, None) .await { Ok(c) => c.secret_string.unwrap(), Err(_) => panic!("Handle this error"), }; // Your code here ``` -------------------------------- ### Install AWS Core Plugin for OpenAI Codex Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets-ai-agents.md Install the `aws-core` plugin for OpenAI Codex agents. This automatically activates the secret safety skill and hook. ```bash codex plugin add ./plugins/aws-core ``` -------------------------------- ### Install AWS Core Plugin for Claude Code Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets-ai-agents.md Install the `aws-core` plugin for Claude Code agents. This automatically activates the secret safety skill and hook. ```bash claude plugin add ./plugins/aws-core ``` -------------------------------- ### SecretCacheHook get Method Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-secretcachehook.md Use the get method to derive the final secret object from the cached data. This is useful for post-processing or transforming the secret after it has been retrieved from the cache. ```python response = hook.get( obj='{{secret_object}}' ) ``` -------------------------------- ### Install EKS Pod Identity Agent Add-on Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-pod-identity-integration.md Install the Amazon EKS Pod Identity Agent add-on to your cluster. Replace {{clusterName}} and {{region}} with your specific cluster name and AWS region. ```bash eksctl create addon \ --name eks-pod-identity-agent \ --cluster {{clusterName}} \ --region {{region}} ``` -------------------------------- ### Initialize SecretCache Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-secretcache.md Instantiate SecretCache with configuration and a Secrets Manager client. ```python cache = SecretCache( config = SecretCacheConfig, client = [client](https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html) ) ``` -------------------------------- ### Configure and Instantiate Go Secrets Manager Cache Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-go_cache.md Shows how to create a custom Secrets Manager client and configure cache settings like maximum size, version stage, and item TTL before instantiating the cache. ```go // Create a custom secretsmanager client client := getCustomClient() // Create a custom CacheConfig struct config := secretcache. CacheConfig{ MaxCacheSize: secretcache.DefaultMaxCacheSize + 10, VersionStage: secretcache.DefaultVersionStage, CacheItemTTL: secretcache.DefaultCacheItemTTL, } // Instantiate the cache cache, _ := secretcache.New( func( c *secretcache.Cache) { c. CacheConfig = config }, func( c *secretcache.Cache) { c. Client = client }, ) ``` -------------------------------- ### get Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-java-ref_SecretCacheHook.md Derives an object from a cached object. This method is invoked when a secret is retrieved from the cache. ```APIDOC ## get ### Description Derive the object from the cached object. ### Returns - Object: The object to return from the cache. ``` -------------------------------- ### Describe ASCP Add-on Configuration Schema Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Fetches the configuration schema for a specific version of the ASCP add-on. Replace `` with the actual add-on version obtained from `describe-addon-versions`. ```bash aws eks describe-addon-configuration --addon-name aws-secrets-store-csi-driver-provider --addon-version ``` -------------------------------- ### get Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-secretcachehook.md Derives a secret object from the cached object. This method is called when retrieving a secret from the cache. ```APIDOC ## get ### Description Derives the object from the cached object. ### Method ``` response = hook.get( obj='{{secret_object}}' ) ``` ### Parameters #### Path Parameters - None #### Query Parameters - None #### Request Body - **obj** (object) - Required - The secret or object that contains the secret. ### Request Example ```json { "obj": "{{secret_object}}" } ``` ### Response #### Success Response (200) - **response** (object) - The derived object from the cache. #### Response Example ```json { "response": "..." } ``` ``` -------------------------------- ### Get Method Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-net-ISecretCacheHook.md Derives the final object from the cached object. This method is called when a secret is retrieved from the cache. ```APIDOC ## Get ### Description Derive the object from the cached object. Returns the object to return from the cache ### Method Signature `object Get(object cachedObject);` ``` -------------------------------- ### Retrieve a secret using the Python cache Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-python.md This example demonstrates how to initialize the SecretCache with a botocore client and retrieve a secret string. The cache improves performance and reduces costs by storing secrets locally. ```python import botocore import botocore.session from aws_secretsmanager_caching import SecretCache, SecretCacheConfig client = botocore.session.get_session().create_client('secretsmanager') cache_config = SecretCacheConfig() cache = SecretCache( config = cache_config, client = client) secret = cache.get_secret_string('{{mysecret}}') ``` -------------------------------- ### Failover to a Different Secret Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-examples.md Configure failover to a completely different secret, not just a replica, using this SecretProviderClass example. ```yaml apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: aws-secrets spec: provider: aws parameters: region: us-east-1 failoverRegion: us-east-2 objects: | - objectName: "arn:aws:secretsmanager:us-east-1:{{777788889999}}:secret:MySecret-a1b2c3" objectAlias: "MyMountedSecret" failoverObject: - objectName: "arn:aws:secretsmanager:us-east-2:{{777788889999}}:secret:MyFailoverSecret-d4e5f6" ``` -------------------------------- ### Describe Pod for Errors Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_ascp_irsa.md Get detailed information about a specific Pod, including events and status, to diagnose issues. ```bash kubectl describe pod/{{podId}} ``` -------------------------------- ### Apply Example SecretProviderClass for Pod Identity Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-pod-identity-integration.md This command applies a sample SecretProviderClass configuration to your Kubernetes cluster. This configuration is essential for the Secrets Store CSI driver to use Pod Identity for authentication. ```bash kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/examples/ExampleSecretProviderClass-PodIdentity.yaml ``` -------------------------------- ### Deploy Pod with SecretProviderClass Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_ascp_irsa.md Deploy your application Pod, ensuring it references the SecretProviderClass for secret mounting. ```bash kubectl apply -f ExampleDeployment.yaml ``` -------------------------------- ### Install Secrets Manager Rust Caching Component Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-rust.md Use this Cargo command to add the caching component to your Rust project. ```rust cargo add aws_secretsmanager_caching ``` -------------------------------- ### Get secrets by prefix Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_github.md Retrieve all secrets whose names begin with a specified prefix. The asterisk (*) acts as a wildcard for this purpose. ```yaml - name: Get Secret Names by Prefix uses: 2 with: secret-ids: | beta* # Retrieves all secrets that start with 'beta' ``` -------------------------------- ### Build and Run Docker Containers Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Command to build Docker images and run the containers defined in the Docker Compose file. ```bash docker-compose up --build ``` -------------------------------- ### Get Secret String from Cache Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-secretcache.md Retrieve a secret string value from the cache. Specify the secret ID and optionally the version stage. ```python response = cache.get_secret_string( secret_id='{{string}}', version_stage='{{string}}' ) ``` -------------------------------- ### Get Secret Binary from Cache Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-secretcache.md Retrieve a base64-encoded secret binary value from the cache. Specify the secret ID and optionally the version stage. ```python response = cache.get_secret_binary( secret_id='{{string}}', version_stage='{{string}}' ) ``` -------------------------------- ### Check CSI Driver Version Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/ascp-eks-installation.md Inspect the installed CSI driver version by retrieving its YAML configuration. This helps confirm the correct version is deployed. ```bash kubectl get csidriver secrets-store.csi.k8s.io -o yaml ``` -------------------------------- ### Check libpq version using readelf Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.md Run this command on a Linux-based computer after downloading and uncompressing the Lambda rotation function's deployment bundle to determine the libpq version. This helps diagnose issues with SCRAM-SHA-256 encryption. ```bash readelf -a libpq.so.5 | grep RUNPATH ``` -------------------------------- ### Get Secret using curl Source: https://docs.aws.amazon.com/secretsmanager/latest/userguide/workload-credentials-provider.md Retrieves a secret from the AWS Workload Credentials Provider using curl. Requires the SSRF token to be present in a file. ```bash curl -v -H \ "X-Aws-Parameters-Secrets-Token: $(