Skip to main content

AWS Secrets Manager

This laboratory focuses on configure Retool with AWS Secrets Manager to storage and manage secrets.

Requirements

To configure secrets management you will need:

  • Amazon Account with Administration privileges to configure AWS Secrets Manager.
  • Retool running on Amazon EC2

Steps

Following instructions per:

https://docs.retool.com/self-hosted/guides/secrets/aws

  • Login to AWS Console and go to Amazon RDS > Create database. Complete the form inputs using the images below as an example.

Postgres1

Postgres2

Postgres3

info

NOTE: This example assumes that Retool has been installed on an Amazon EC2 instance in the same VPC as the Amazon RDS database that will be created. If your Retool instance is running locally on your laptop, then in the section Compute resource, select Don’t connect to an EC2 compute resource. You will also need to enable Public access for Retool running locally to be able to connect over the Internet.

  • Create policy by going to AWS Management Console > IAM > Policies > Create Policy.
  • Select JSON and cut and paste the entry below.
{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": [
       "secretsmanager:GetSecretValue",
       "secretsmanager:DescribeSecret"
     ],
     "Resource": ["arn:aws:secretsmanager:[SPECIFY your Region]:[SPECIFY your AccountId]:secret:retool/*"]
   },
   {
     "Effect": "Allow",
     "Action": ["secretsmanager:ListSecrets"],
     "Resource": "*"
   }
 ]
}
  • Create EC2 role using policy created previously.
  • Add IAM Role to EC2 instance. Go to EC2 > Manage > Security > Attach IAM Role.
  • Access Retool -> Settings -> Secrets Manager.
  • Specify the Region, Retool Namespace and Cache TTL.

Secrets1

  • Test the connection.

Secrets2

  • The connection is saved and displayed at the top of the list in the following figure.

Secrets3

  • Create a PostgreSQL Resource. Use the connection string provided when the database is started. Specify Username/Password for authentication.
  • For the Username enter the following:

{{secrets.[saved_secret_name].username}}

  • For the password enter the following:

{{secrets.[saved_secret_name].password}}

  • The updated resource connection details should appear similar to the following:

Secrets4

Cleanup of Amazon RDS and AWS Secrets Manager

The following steps can be used to cleanup the Amazon RDS instance.

Delete the Resource in Retool

Go to Retool Home Page > Resources > (select Resource created previously) > … > Delete.

Delete the Amazon RDS Database

Go to AWS Console > Amazon RDS > Select Database > Actions > Delete.

info

NOTE: RDS will ask to create a snapshot prior to deletion. This is not necessary and can be skipped.

Delete the AWS Secrets Manager Entry

Go to AWS Secrets Manager > select the created secret > Actions > Delete secret.