1. Home
  2. Documentation
  3. Analytical Platform
  4. ADR-004 Use AWS Secrets Manager for Secrets

ADR-004 Use AWS Secrets Manager for Secrets

Status

āœ… Accepted

Context

The Data Platform team will need a way to store secrets securely. There are several methods currently used across the MoJ, including Secrets Manager, Parameter Store, 1Password, Git-Crypt and GitHub Secrets.

We want to adhere to MoJ Security Guidance and align with other Hosting and Platform teams.

Decision

We are proposing to use Secrets Manager for secrets management.

AWS Systems Manager Parameter Store can be used to store non secret information e.g. environment parameters

Consequences

General consequences

  • All secrets will be stored in Secrets Manager
  • Secret rotation via Secrets Manager should be used where possible
  • We will need to manage mechanisms to retrieve credentials from Secrets Manager e.g. for GitHub Actions

Advantages

  • Cross-account access
  • Has an official AWS GitHub Action
  • Compatible with AWS services
  • Automated secret rotation possible
  • Users manage their own secrets

Disadvantages

  • Secrets Manager is more expensive than Parameter Store
Last reviewed: 19 December 2024Review status: āœ— Review overdueOwner: #analytical-platform-notificationsSource: View source on GitHub

Was this page useful?