ADR-004 Use AWS Secrets Manager for Secrets
Status
✅ Accepted
Context
The Data Platform team will need a way to store secrets securely. There are several methods currently used across the MoJ, including Secrets Manager, Parameter Store, 1Password, Git-Crypt and GitHub Secrets.
We want to adhere to MoJ Security Guidance and align with other Hosting and Platform teams.
Decision
We are proposing to use Secrets Manager for secrets management. We can use it for our GitHub actions as seen here.
AWS Systems Manager Parameter Store can be used to store non secret information e.g. environment parameters
Consequences
General consequences
- All secrets will be stored in Secrets Manager
- Secret rotation via Secrets Manager should be used where possible
- We will need to manage mechanisms to retrieve credentials from Secrets Manager e.g. for GitHub Actions
Advantages
- Cross-account access
- Has an official AWS GitHub Action
- Compatible with AWS services
- Automated secret rotation possible
- Users manage their own secrets
Disadvantages
- Secrets Manager is more expensive than Parameter Store
This page was last reviewed on 19 December 2024.
It needs to be reviewed again on 19 June 2025
by the page owner #analytical-platform-notifications
.
This page was set to be reviewed before 19 June 2025
by the page owner #analytical-platform-notifications.
This might mean the content is out of date.