Skip to main content

ADR-005 Use AWS Secrets Manager for Secrets

Status

✅ Accepted

Context

The Data Platform team will need a way to store secrets securely. There are several methods currently used across the MoJ, including Secrets Manager, Parameter Store, 1Password, Git-Crypt and GitHub Secrets.

We want to adhere to MoJ Security Guidance and align with other Hosting and Platform teams.

Decision

We are proposing to use Secrets Manager for secrets management. We can use it for our GitHub actions as seen here.

AWS Systems Manager Parameter Store can be used to store non secret information e.g. environment parameters

Consequences

General consequences

  • All secrets will be stored in Secrets Manager
  • Secret rotation via Secrets Manager should be used where possible
  • We will need to manage mechanisms to retrieve credentials from Secrets Manager e.g. for GitHub Actions

Advantages

  • Cross-account access
  • Has an official AWS GitHub Action
  • Compatible with AWS services
  • Automated secret rotation possible
  • Users manage their own secrets

Disadvantages

  • Secrets Manager is more expensive than Parameter Store
This page was last reviewed on 17 August 2023. It needs to be reviewed again on 17 February 2024 by the page owner #data-platform-notifications .
This page was set to be reviewed before 17 February 2024 by the page owner #data-platform-notifications. This might mean the content is out of date.