Use Amazon Secrets Manager to track database passwords or third-party API keys

We recommend that you use Amazon Secrets Manager to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Secrets Manager enables you to replace hardcoded credentials in your code (including passwords) with an API call to Secrets Manager to retrieve the secret programmatically. For more information, see What Is Amazon Secrets Manager? in the Amazon Secrets Manager User Guide.

For pipelines where you pass parameters that are secrets (such as OAuth credentials) in an Amazon CloudFormation template, you should include dynamic references in your template that access the secrets you have stored in Secrets Manager. For the reference ID pattern and examples, see Secrets Manager Secrets in the Amazon CloudFormation User Guide. For an example that uses dynamic references in a template snippet for GitHub webhook in a pipeline, see Webhook Resource Configuration.

The following related resources can help you as you work with managing secrets.

Secrets Manager can rotate database credentials automatically, such as for rotation of Amazon RDS secrets. For more information, see Rotating Your Amazon Secrets Manager Secrets in the Amazon Secrets Manager User Guide.
To view instructions for adding Secrets Manager dynamic references to your Amazon CloudFormation templates, see https://aws.amazon.com/blogs/security/how-to-create-and-retrieve-secrets-managed-in-aws-secrets-manager-using-aws-cloudformation-template/.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Configure server-side encryption for artifacts stored in Amazon S3 for CodePipeline

Identity and access management

Use Amazon Secrets Manager to track database passwords or third-party API keys

See also