Using AWS Secrets Manager

Retrieve credentials from AWS Secrets Manager #

This feature is available from version 22.10.28.2.
You may want to store credentials like usernames and associated passwords in AWS Secrets Manager. In that case, you can tell Replicant to retrieve credentials from Secrets Manager instead of reading them from plain YAML files.

Important: Make sure to set AWS credentials and the region either in the credentials file or as environment variables. For more information, see Set up AWS Credentials and Region for Development.

To fetch your credentials from AWS Secrets Manager, follow the steps below:

Modify the connection configuration file #

In your connection configuration file, represent the value of each credential stored in AWS Secrets Manager using a URL. Notice the following about the structure of the URL:

  • Each URL should begin with arcion-sm://. This tells Replicant that a Secrets Manager holds the value.

  • The rest of the URL depends on where the key is stored in AWS Secrets Manager, the key being the name of the credential. For example, the username credential could have the following URL representation in the connection configuration file:

    username: arcion-sm://connectionConfig/username

    In the URL above, there are two parts:

    • connectionConfig represents the secret name where various secret keys are stored.
    • username is the secret key for which Replicant should retrieve the value from AWS Secrets Manager.

Below is a sample connection configuration file for MySQL where the host, port, username, and password credentials are stored in the AWS Secrets Manager:

type: MYSQL

host: arcion-sm://connectionConfig/host
port: arcion-sm://connectionConfig/port
username: arcion-sm://connectionConfig/username
password: arcion-sm://connectionConfig/password

slaveServerIds: [1]
maxConnections: 20

maxRetries: 10
retryWaitDurationMs: 1000

Run Replicant #

Run Replicant with the argument --use-sm-provider. The argument can take the following two values:

  • AWS: Replicant will try to read secrets from AWS Secrets Manager.

  • NONE: Replicant will expect the values of the configuration parameters to be in plain text in the YAML file itself, and will not look in Secrets Manager.

    Default value is NONE.

Below is a sample Replicant command specifying AWS Secrets Manager:

./bin/replicant test-connection conf/conn/mysql_dst.yaml --validate conf/validate/validationchecks.json --use-sm-provider AWS