How to Manage Secrets Securely with AWS Secrets Manager and Lambda

Introduction

In modern cloud-native applications, managing sensitive information like API keys, database credentials, any third party service credentials and other secrets securely is a top priority. Hardcoding secrets into application code, environmental variables in lambda functions or configuration files can lead to serious security vulnerabilities and operational risks and this is where AWS Secrets Manager comes in—a fully managed service that enables you to store, retrieve, and rotate secrets securely.

When combined with AWS Lambda, Secrets Manager allows you to build powerful serverless applications that access secrets dynamically during the runtime, without ever exposing them in your codebase. In this blog, we'll explore how to integrate AWS Secrets Manager with Lambda functions, ensuring your application remains secure, scalable, and maintainable. Whether you're accessing a database, calling a third-party service, or simply avoiding secret sprawl, this guide will walk you through best practices and hands-on examples for secure secret management in AWS.


Creating a Secret in AWS Secrets Manager

The first step is to store your credentials in AWS Secrets Manager based on the type of secret you want to manage. When you open the service, you’ll start by choosing the secret type. For this tutorial, we’ll use “Other type of secret” and store an API key. 

You can store secrets in two ways: as key/value pairs or as plain text. Here, we’ll go with the key/value option, setting the key as api_key and assigning its value to the API key for your endpoint. 

Next, select the KMS encryption key to protect your secret. If you already have one, choose it; otherwise, create a new key. (I’ve already covered how to create and manage KMS keys in my earlier blog on KMS Server-Side Encryption.)

Finally, give your secret a meaningful name so it’s easy to find later. Continue to the next step where you’ll see the secret rotation option. For now, we’ll keep rotation disabled, but AWS Secrets Manager also allows you to configure automatic rotation by creating a custom Lambda function that securely updates your secrets on a schedule.


Attach IAM Policy to Your Lambda Role

Before your Lambda function can fetch secrets from AWS Secrets Manager, it needs the right permissions. This is where IAM roles come into play. 

So, don’t forget to attach the Secrets Manager policy to the Lambda execution role. At a minimum, you’ll need the following permission:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:YOUR_SECRET_NAME"
    }
  ]
}
Repalce with your REGION, ACCOUNT_ID and YOUR_SECRET_NAME in the resource field.

Accessing Secrets from Lambda

Now that we’ve stored the secrets and given Lambda the right permissions, it’s time to actually fetch the secret inside our function.
Here’s a simple example:
# Add this code snippet in lambda function to retrieve keys.
# You need to change the secret_name and region name with yours secret and region name.

import boto3
from botocore.exceptions import ClientError


def get_secret():
    secret_name = "api_key" # Replace here with your secret name
    region_name = "us-east-1" # Replace here with your region name


    # Create a Secrets Manager client
    session = boto3.session.Session()
    client = session.client(
        service_name='secretsmanager',
        region_name=region_name)

    try:
        get_secret_value_response = client.get_secret_value(
            SecretId=secret_name)
        
    except ClientError as e:
        raise e

    secret = get_secret_value_response['SecretString']

    return secret


Conclusion

Managing secrets the right way is crucial for building secure applications in the cloud. By using AWS Secrets Manager with Lambda, you can keep sensitive information out of your code, control access with IAM, and even enable automatic rotation when needed. This approach not only improves security but also makes your applications easier to maintain. Start small by securing one secret, and gradually extend this practice across your entire serverless stack.

Comments

for ict 99 said…
Managing sensitive information such as API keys, database credentials, and tokens is critical for building secure applications in the cloud. Amazon Web Services provides AWS Secrets Manager to securely store, retrieve, and manage secrets, while AWS Lambda enables running code without managing servers. Together, they offer a secure and scalable way to handle secrets in serverless applications.

The typical approach involves storing secrets in AWS Secrets Manager instead of hardcoding them in application code or environment variables. Cloud Security Projects Each secret is encrypted using AWS Key Management Service (KMS), ensuring data protection at rest. A Lambda function is then configured with appropriate IAM permissions to access the required secret. During execution, the Lambda function retrieves the secret dynamically using the AWS SDK, ensuring that sensitive data is never exposed in the codebase. Additionally, Secrets Manager supports automatic rotation of credentials, which enhances security by periodically updating secrets without manual intervention.

To further strengthen security, best practices include using least privilege access policies, enabling logging and monitoring with services like CloudWatch, and avoiding unnecessary exposure of secrets in logs or error messages. Integrating Secrets Manager with Lambda ensures that applications remain secure, maintainable, and compliant with modern security standards while simplifying secret management in cloud environments. Cloud Computing Projects
April 20, 2026 at 1:59 AM

Post a Comment

Popular posts from this blog

LSTM and BiLSTM Explained: Advanced Deep Learning Techiniques for Time Series Prediction

Image
While RNNs are great at handling sequences, they sometimes struggle with long-term dependencies . Imagine trying to remember a detail from 20 steps ago—RNNs often “forget” that information. That’s where  LSTM (Long Short-Term Memory) and later BiLSTM (Bidirectional LSTM) models are being used. These models are game-changers for solar power forecasting. Long Short-Term Memory LSTM is an advanced type of RNN designed to remember information for longer periods. It has special structures called gates: Forget Gate: Decides what information to throw away. Input Gate: Decides what new information to store. Output Gate: Decides what the model should output at each step. LSTMs handle long-term dependencies much better than regular RNNs. Since the same dataset was used here as well, you can read more about it in my earlier RNN blog . Model Results for LSTM The training graph shows that the loss decreases steadily as the number of epochs increases. This means the model learns patterns in th...
Read more

Step-by-Step Guide to Setting Up AWS SES with Configuration Sets

Image
  If you're seeking a reliable and cost-effective solution for email communication then AWS Simple Email Service (SES) is an excellent choice. This cloud-based service enables you to efficiently send and receive emails with ease. Prerequisites This tutorial offers a hands-on demonstration. Ensure you have an active AWS account to follow along AWS Login . 1.  What is AWS SES AWS Simple Email Service is a cloud-based service provided by AWS that enables the business and developers to send, receive, and manage email campaigns securely and cost-efficiently. Use Cases: Transactional email notifications for applications. Marketing Campaigns Newsletters System alerts Automated Reports 2.  Why Use AWS SES? Reliable and scalable infrastructure Cost-effective compared to third-party email services Integration with other AWS services like Lambda, CloudWatch, SNS, EventBridge and Pinpoint. Built-in tools to track email events (sent, deliveries, open, click, bounces, complaints) Secur...
Read more

Using ConnectorX and DuckDB in Python: Step by Step Guide

Image
Introduction When working with large datasets, execution time and efficiency comes into play. Traditional methods of extracting data from the relational databases into Python often involve loading everything into memory, which can be painful and very slow. That’s where connectorX and DuckDB come in handy. Together, they make data extraction and analytics in python very  fast and memory-efficient . What is ConnectorX? ConnectorX is an open-source library built to load data from databases directly into pandas, Polars, or NumPy efficiently. Instead of fetching row by row via  psycopg2  or  sqlalchemy ConnectorX p arallely fetch chunks of data and stream them directly into Python. Supports many databases: MySQL, SQLite, PostgreSQL, SQL Server, BigQuery, Snowflake, and many more. What is DuckDB? DuckDB is an in-process SQL OLAP database. Can query CSV, Parquet, JSON, Arrow datasets, and even pandas/Polars DataFrames. Works directly inside Python and R. Data pro...
Read more

AWS Lambda: When to Use and When to Avoid Serverless Computing

Image
AWS Lambda is one of the most widely adopted serverless computing services on Amazon Web Services. It allows developers to run code without provisioning or managing servers, revolutionizing how modern applications are built and deployed. While AWS Lambda is powerful and cost-effective for many use cases, it's not suitable for every workload. This comprehensive guide will help you understand when to use AWS Lambda and when to choose alternative AWS compute services. What Is AWS Lambda? AWS Lambda is a serverless, event-driven compute service that automatically runs your code in response to events and scales instantly based on demand. What You Don't Manage Servers – No infrastructure to provision or maintain Operating systems – Automatic patching and updates Capacity planning – Automatic scaling from zero to thousands of concurrent executions Lambda Pricing Model: Pay Only for What You Use Number of invocations – First 1 million requests per month are free Execution dur...
Read more

Creating a Scalable Lambda Layer for PostgreSQL or MySQL Drivers in Python

Image
Introduction When working with AWS Lambda functions in Python, especially in database-heavy applications, you often run into deployment package size limits or performance issues due to repeated bundling of common libraries like psycopg2 for PostgreSQL, python-oracledb for Oracle or  mysql-connector-python for MySQL. These database drivers are essential, yet bulky—leading to bloated deployment packages, slower cold starts, and painful debugging across environments. To address this, Lambda Layers offer a powerful solution. Layers allow you to package shared dependencies—such as database drivers—separately and reuse them across multiple functions, simplifying deployment and improving scalability. In this blog, we’ll walk through creating a scalable and reusable Lambda Layer for PostgreSQL or MySQL drivers using Python. You’ll learn not only how to build and deploy these layers, but also best practices to make your architecture more maintainable and efficient in the long run. Whet...
Read more

Kiro by AWS: The Agentic IDE That's Changing How Developers Build Software

Kiro is AWS's agentic AI IDE that goes beyond code generation — it plans, designs, executes, and documents your features as a true development partner. Built on Code OSS (the open-source foundation of VS Code), Kiro introduces spec-driven development to transform how software gets built from idea to production. This guide breaks down what Kiro is, what makes it different, and when it delivers the most value for developers. What Is Kiro? Kiro is an agentic AI IDE from AWS that understands the intent behind your prompts and orchestrates entire development workflows — planning, designing, coding, and documenting — without you having to manage any of that manually. What Kiro Handles For You Requirements documentation – Auto-generated in EARS notation from your natural language prompt System design – Analyzes your codebase and proposes architecture that fits your existing stack Task sequencing – An ordered, dependency-aware implementation plan created before a single line...
Read more

How to Configure AWS SES Event Destinations: Step-by-Step Methods

Image
Setting Up Amazon SES destinations Amazon Simple Email Service (SES) allows users to send, receive, and monitor emails at scale. One powerful feature is its ability to send event data (e.g., bounces, complaints, and delivery notifications) to various destinations. In this tutorial, we'll guide you through setting up SES destinations with the following services: Amazon Notification Service SNS Kinesis Data Firehose Amazon Pinpoint SNS as Destination Create an SNS topic Log in to the AWS Console and search for Simple Notification Service (SNS). Select it from the results. Navigate to the Topics section and click Create Topic. Choose Standard as the topic type, optionally add tags, and then click Create Topic to complete the setup. Type of SNS topic Configure the destination in SES Navigate to Simple Email Service (SES) and choose the configuration set where you want to add a destination. Click Add Destination, select the desired event types, and proceed to the next step. Under Destin...
Read more

Pandas vs Polars: Which One to Choose for Data Processing?

Image
Introduction If you’ve done any data work in Python, chances are you’ve used Pandas —it’s been the go-to library for data analysis and data preparation for years. But as datasets keep getting bigger and performance demands rise, a new player has entered the scene: Polars . Think of it as Pandas’ faster, more modern library. Both are great at handling data, but they differ quite a bit when it comes to speed, scalability, and the way they’re designed In this blog, we’ll dive into the differences between Pandas and Polars, and help you decide which one fits your use case. Pandas vs Polars Both Pandas and Polars can play an important role in data preparation and data analysis. Pandas: Pandas can integrated easily with s cikit-learn , Matplotlib, TensorFlow, and PyTorch. Built on top of  NumPy and designed for in-memory datasets Pandas is ideal for small to medium dataset. Polars: Uses  Apache Arrow memory model for efficient storage Designed to be multi-threaded and more memory...
Read more

Solar Energy Prediction Using Recurrent Neural Networks (RNN)

Image
Introduction When we think about renewable energy, solar power often comes to mind first. But there’s one big challenge: solar energy is not constant . It changes with weather, seasons, and even time of the day. To make solar power more reliable, predicting its future output becomes very important. That’s where machine learning - especially Recurrent Neural Networks (RNNs)  comes in. What is RNN A Recurrent Neural Network (RNN) is a type of deep learning model that is great at handling sequential data —data that comes in order, like time-series or speech. Unlike regular neural networks, RNNs remember past information by looping their outputs back into the network. This makes them perfect for tasks like predicting solar power output, stock prices, or even natural language processing. How RNN Works RNNs take input data step by step.  They store the output of the previous step and use it along with the new input to make better predictions.  This memory-like ability helps th...
Read more