Integrating with AWS Secrets Manager
Because Airplane tasks are written in standard code, you can use the AWS SDKs to read secrets from
AWS Secrets Manager (and other AWS services such as AWS Parameter Store).
Authenticating with AWS
AWS SDKs support configuring credentials by setting the
AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY environment variables. You can create Config variables
to store these credentials and attach them as environment variables to your task. (See examples
below.)While this does require you to store AWS API keys in Airplane, this allows you to keep the secrets
themselves within AWS.
If you're self-hosting on AWS, you can use IAM roles and avoid API keys entirely. See
Custom IAM roles for details.
Example code
We'll need
@aws-sdk/client-secrets-manager to talk to the AWS API and fetch the secret
(docs).shellCopied1npm install @aws-sdk/client-secrets-manager
We can define a
getSecret function:typescriptCopied1// getSecret.ts2import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";34const client = new SecretsManagerClient({});56export const getSecret = async (secretName: string) => {7const command = new GetSecretValueCommand({ SecretId: secretName });8const results = await client.send(command);9return results.SecretString;10};
And re-use it across tasks:
typescriptCopied1// get_aws_secret.airplane.ts2import { getSecret } from "./getSecret";34export default airplane.task(5{6slug: "get_aws_secret",7name: "Get AWS secret",8envVars: {9// Change to your secret's region10AWS_DEFAULT_REGION: "us-west-2",11// If you're self-hosting on AWS, you can use IAM roles instead:12// https://docs.airplane.dev/self-hosting/aws#custom-iam-roles13AWS_ACCESS_KEY_ID: { config: "AWS_ACCESS_KEY_ID" },14AWS_SECRET_ACCESS_KEY: { config: "AWS_SECRET_ACCESS_KEY" },15},16},17async (params) => {18const secret = await getSecret("test/apiKey");19// Do something with secret!20console.log(`Secret: ${"*".repeat(secret?.length)}`);21}22);
We'll need
boto3 to to talk to the AWS API and fetch the secret
(docs).shellCopied1pip install boto3
We can define a
get_secret function:pythonCopied1# get_secret.py2import boto334client = boto3.client("secretsmanager")56def get_secret(secret_name):7response = client.get_secret_value(SecretId=secret_name)8return response["SecretString"]
And re-use it across tasks:
pythonCopied1# get_aws_secret_airplane.py2import airplane3from get_secret import get_secret45@airplane.task(6env_vars=[7airplane.EnvVar(8name="AWS_DEFAULT_REGION",9value="us-west-2",10),11airplane.EnvVar(12name="AWS_ACCESS_KEY_ID",13config_var_name="AWS_ACCESS_KEY_ID",14),15airplane.EnvVar(16name="AWS_SECRET_ACCESS_KEY",17config_var_name="AWS_SECRET_ACCESS_KEY",18),19],20)21def get_aws_secret():22secret = get_secret("test/apiKey")23# Do something with secret!24s = "*" * len(secret)25print(f"Secret: {s}")