Keeping secrets can be tricky. Thankfully, Amazon Web Services has several tools in its toolbox to help. Let’s start by talking about AWS Secrets Manager and then go on to show how you can work easily with Amazon secrets in your Delphi cross-platform apps.
Table of Contents
What is The AWS Secrets Manager?
AWS Secrets Manager is exactly what it sounds like. Secrets Manager is the go-to place when you need to store something secret on Amazon Web Services, like a password for a database. You create a secret and retrieve it when needed in its most straightforward usage. Let’s look at how we can do that in Delphi.
[crayon-673f2a864eb5f880144190/]This program will store a password “MyVerySecretPassword” in AWS Secrets Manager in the current AWS region under the name “prod/MyApplication/MyDBPassword”.
NOTE: It is good practice to use a naming convention for your secrets, like in this case, “Deployment Stage/Application Name/Application Secret Name”.
So, now we have a secret stored, let’s look at how to get it back when we need it.
This is Secrets Manager working in its simplest form. Secrets Manager is a high-level service capable of organising secrets with meta-data, automatically rotating secrets on a specified schedule, all neatly taken care of.
So, cryptography is a complicated business; how does Secrets Manager handle encryption keeping all the necessary complexity hidden? The answer is AWS Key Management Service (AWS KMS), let’s talk about KMS…
What is AWS Key Management Service (AWS KMS)?
AWS Key Management Service is the service other AWS services use when they need cryptographic services. Amazon S3 uses it to enable encryption-at-rest for stored objects, and Amazon Simple Email Service uses KMS to store messages encrypted-at-rest, to name a couple of examples.
Each AWS service that uses KMS stores an encryption key generated for your account in each region under an alias; for example, Secrets Manager uses the alias aws/secretsmanager
. In addition to AWS services, you can generate and store your own encryption keys on KMS for your purposes. Let’s look at how you can create an encryption key, use it to encrypt some simple text data, and decrypt the encrypted data.
In the following example, we use the key’s alias alias/MyApp
to reference the encryption key when decrypting the value. Using an alias makes the key easy to locate in future operations.
You may wonder why you’d choose to use KMS over Secrets Manager; after all, these programs do basically the same thing. The answer is a combination of costs and features. Secrets Manager is easier to use, but there is a cost per secret stored, currently $0.40/secret/month, where KMS is charged per key, which could be used to encrypt/decrypt many secrets. If you’re looking for a simple, managed solution that handles secret rotation and has integrations with services like Amazon Relational Database Service (RDS), then Secrets Manager is worth the money. If you’re looking for general-purpose cryptography features like encryption, decryption, signing and verification, then KMS is what you need.
Where can I read more about connecting to AWS with Delphi?
A sample project, “Secrets Manager Console”, is available on GitHub in the AWS SDK for Delphi Samples repository, demonstrating some of the features of AWS Secrets Manager and AWS KMS.
To learn more about the features of AWS Secrets Manager, read the AWS Secrets Manager User Guide.
Read the AWS Key Management Service User Guide to learn what AWS Key Management Service (AWS KMS) offers.
About Appercept AWS SDK for Delphi
Appercept AWS SDK for Delphi is available exclusively on GetIt with active Enterprise or Architect subscriptions for Embarcadero Delphi or RAD Studio. You can install the SDK through the GetIt Package Manager within Delphi or RAD Studio if you have an active subscription.
You can read more on this site about the things you can do with the Appercept AWS SDK: