Add more guidance about managing secrets

[marfire]

In the environment variables section, I think it would be helpful to include specific advice on managing secrets (SECRET_KEY, say).

Not everyone agrees that putting secrets in environment variables is a good idea, but I think everyone agrees that they shouldn't be checked into your code repository? Given that, you need some way to specify secrets outside of settings.py or zappa_settings.py.

It seems to me that defining them as Lambda environment variables is a pretty good solution, making this comment too strong:

This method [Lambda Environment Variables] is generally only useful for system-generated variables since custom variables can more easily be configured in zappa settings (see above).

[monkeypants]

maybe some guidance about using KMS would be useful here - hiding the secrets from even yourself, not just the repo (etc)

[djstein]

hey! It is very possible to use the Amazon SecretsManager for this! An example for getting secret key is below:

import boto3

endpoint_url = "https://secretsmanager.us-east-1.amazonaws.com"
region_name = "us-east-1"

session = boto3.session.Session()
client = session.client(
    "secretsmanager",
    region_name=region_name,
    endpoint_url=endpoint_url
)
django_secret_key_response = client.get_secret_value(SecretId='DJANGO_SECRET_KEY')

DJANGO_SECRET_KEY = django_secret_key_response.get('SecretString')

SECRET_KEY = DJANGO_SECRET_KEY if DJANGO_SECRET_KEY else env.str('DJANGO_SECRET_KEY')

[edgarroman]

Thanks folks - looks like I need to create a 'Managing Secrets' section!

[djstein]

@edgarroman I must note however, that if you place your Lambda function behind a VPC to connect to RDS this turns into a different problem where the function will not be able to reach out to the internet to GET the values. Then one has to do the whole configure public/private subnets, internet gateway, NAT gateway, correct route tables.

[edgarroman]

Good to know. I have not used AWS Secrets Manager myself, but it appears the limitation you mention could be mitigated via a Secrets Manager VPC endpoint: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotation-network-rqmts.html
I will definitely have to research...