Create Secret Manager in AWS using Terraform

In this article we are going to over Create Secret Manager in AWS using Terraform.

What is Secret Manager in AWS?

AWS Secrets Manager is a fully managed service provided by Amazon Web Services (AWS) that helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. The primary purpose of AWS Secrets Manager is to securely store and manage sensitive information, such as API keys, database passwords, and other credentials.

It helps keep your critical secrets safe by providing a centralized and managed storage solution. Instead of embedding these secrets directly in your applications or configuration files, you can store them in AWS Secrets Manager. This adds an extra layer of security and makes it easier to manage and update sensitive information.

Here’s a simple breakdown:

  1. Centralized Management: Keeps everything in one organized location.
  2. Avoid Hardcoding: Rather than putting passwords and keys directly in your code, you fetch them securely from Secrets Manager.
  3. Easy Updates: If your secrets change, you can update them in one place, and applications automatically get the latest version.
  4. Security Features: Provides additional security features like automatic rotation of secrets and access control, making sure only authorized entities can access the secrets.

Key features and aspects of AWS Secrets Manager include:

  1. Secure Storage: AWS Secrets Manager provides a secure and centralized location for storing sensitive information. This helps prevent the inadvertent exposure of sensitive data in application code or configuration files.
  2. Automatic Rotation: AWS Secrets Manager can automatically rotate (update) the credentials used by your applications and services. For example, it can regularly rotate database passwords, reducing the risk associated with long-lived credentials.
  3. Integration with AWS Services: Secrets Manager seamlessly integrates with various AWS services, making it easy to use stored secrets in your applications. For instance, you can use Secrets Manager to securely store database credentials and then reference them directly in an Amazon RDS or Amazon Redshift configuration.
  4. Access Control: AWS Secrets Manager provides fine-grained access control through AWS Identity and Access Management (IAM). You can define who has access to retrieve or update specific secrets.
  5. Auditing and Logging: Secrets Manager provides audit trails and logging capabilities, allowing you to monitor who accessed the secrets and when. This can be crucial for compliance and security auditing purposes.
  6. Versioning: Secrets Manager supports versioning of secrets, enabling you to keep track of changes over time. This feature is beneficial for troubleshooting and rollback scenarios.
  7. Ease of Use: Integrating with Secrets Manager in your applications is straightforward. AWS SDKs and APIs make it easy to retrieve and use secrets securely in your code.

Let’s break down the process of creating a PostgreSQL database using Terraform with AWS Secrets Manager for Securing Your Database Credentials.

Scenario :

You have a super important application that stores valuable information in a PostgreSQL database. But, uh-oh, your database password is currently just sitting there, exposed in your application code. If someone gets hold of it, they could potentially mess with your precious data.



Install Terraform :

Make sure you have Terraform installed on your machine. You can download it from and follow the installation instructions.

Configure AWS Credentials :

Ensure you have your AWS credentials configured on your machine. You can set them up by either setting environment variables or configuring the ~/.aws/credentials file.

aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
region = YOUR_REGION

Create a folder in directory named terraform-demo-secrets and switch to that folder using visual studio code.

Create Secret Manager in AWS using Terraform

Create a new Terraform configuration file, for example,

Here’s a simplified Terraform script:

provider "aws" {
  region = "ap-south-1"  # Replace with your preferred region

resource "aws_kms_key" "demo_kms_key" {
  description             = "KMS key for demo credentials rotation"
  enable_key_rotation     = true
  deletion_window_in_days = 7

resource "aws_secretsmanager_secret" "demo_credentials" {
  name = "demo-credentials"
  kms_key_id = aws_kms_key.demo_kms_key.key_id

resource "aws_secretsmanager_secret_version" "demo_credentials_version" {
  secret_id     =
  secret_string = jsonencode({
    username = "db_admin",
    password = "P@ssw0rd"

Create a Secure Vault (Secrets Manager):

Imagine you have a super-secret vault called AWS Secrets Manager. You put your database username and password in this vault, and it’s like Fort Knox for your sensitive information.

In above code,We create a secret in AWS Secrets Manager (aws_secretsmanager_secret.postgres_credentials) and associate it with the KMS key for encryption.

Lock It with a Special Key (KMS Key):

To add an extra layer of protection, you use a special key called AWS Key Management Service (KMS) to lock your vault. Only with this key can someone open the vault and get the secrets.

In above code ,We create a KMS key (aws_kms_key.postgres_kms_key) that will be used for encrypting the secrets stored in Secrets Manager. This key is configured for automatic rotation.

Teach Your Vault to Change Locks (Automatic Rotation):

Now, the cool part – you teach your vault to change locks automatically. This means that even if someone somehow gets hold of the key, it won’t work forever. The lock changes regularly, like having a new password for your vault that rotates on its own.

Finally, we create a PostgreSQL database instance (aws_db_instance.postgres_instance) using the specified credentials from the secret.

Let Terraform Do the Magic:

Initialize and Apply Terraform Configuration

Run the following commands in your terminal:

terraform init

terraform plan

terraform apply

Enter “yes” when prompted to apply the changes.

Verify Resources in AWS Console

Check the AWS Secrets Manager console to see the “postgres-credentials” secret with rotation enabled. Verify the KMS key in the AWS KMS console and the RDS instance in the RDS console.

step 1 9
step 2 3
step 3 8

Clean Up (Optional)

To clean up the resources created by Terraform, run:

terraform destroy

Enter “yes” when prompted to destroy the resources.

You use Terraform, your magical assistant, to set up this entire process. Terraform creates your PostgreSQL database, sets up the vault (Secrets Manager), attaches the special key (KMS Key) for added security, and teaches the vault to change locks automatically (rotation).


In this article we have covered What is Secret Manager in AWS, Create Secret Manager in AWS using Terraform.

Related Articles:

Create VPC in AWS using Terraform Modules

About Monica Mahire

Working as DevOps Intern, Likes to explore new tools and share knowledge.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link