AWS Secrets Manager
How to store secrets in AWS
The AWS secrets manager is a secrets manager flavor provided with the ZenML
awsintegration that uses AWS to store secrets.
We are deprecating secrets managers in favor of the centralized ZenML secrets store. Going forward, we recommend using the secrets store instead of secrets managers to configure and store secrets.
If you already use secrets managers to manage your secrets, please use the provided
zenml secrets-manager secrets migrateCLI command to migrate your secrets to the centralized secrets store.
To continue using AWS Secrets Manager as the service of choice for managing your secrets in the cloud, configure your ZenML server to connect to and use the AWS Secrets Manager service directly as a back-end for the centralized secrets store and then use
zenml secretCLI commands to manage your secrets instead of
zenml secrets-manager secretCLI commands. You no longer need to register the AWS secrets manager stack component or add it to your active stack.
Alternatively, you may use any of the other secrets store back-ends that the ZenML server supports, such as Google Secret Manager, Azure Key Vault, HashiCorp Vault, or even the ZenML SQL database.
You should use the AWS secrets manager if:
- a component of your stack requires a secret for authentication, or you want to use secrets inside your steps.
- you're already using AWS, especially if your orchestrator is running in AWS. If you're using a different cloud provider, take a look at the other secrets manager flavors.
The AWS secrets manager is automatically activated once you create an AWS account.
To use the AWS secrets manager, we need:
We can then register the secrets manager and use it in our active stack:
zenml secrets-manager register <NAME> \
# Add the secrets manager to the active stack
zenml stack update -x <NAME>
You can now register, update or delete secrets using the CLI or fetch secret values inside your steps.
You can use secret scoping with the AWS Secrets Manager to emulate multiple Secrets Manager namespaces on top of a single AWS region.
For more information and a full list of configurable attributes of the AWS secrets manager, check out the API Docs.