How to hide your RDS info in WordPress config with AWS Secret Manager

Share This:
AWS Secrets Manager

Hello, i recently tried using AWS Secret Manager because of needs from work and i have to say “Wow”, it’s very convenient, super powerful and super easy to deploy. So the first question is: what is AWS Secret Manager?

In short, AWS Secret Manager is the service that helps you to store and retrieve your secrets like database credentials, passwords, API key and rotate your credentials with built-in or custom AWS Lambda function. This service has some benefit like:

  • Rotate secret safely:
  • Manage access with fine-grained policies
  • Secure and audit secrets centrally using KMS
  • Pay as you go – very nice price, only $0.40/secret/month and $0.05/10.000 API calls

If you want to more detail, you can go here.

Concept

You have an RDS DB and you want your website WordPress hosted in EC2 instance connects to that DB. When establishing the connection, you need to configure the wp-config.php file with your DB info like DB name, DB username, DB password, host and you don’t want to show this info in your wp-config.php for some security standards.

Solution Overview

In this solution, you create an RDS database then take the info to input into AWS Secret Manager. When your application wants to connect to your DB, it goes to AWS Secret Manager and retrieves those info to connect.

AWS Secrets Manager

Setup

Follow these steps below to setup:

  1. Create the RDS database: I don’t show the way here because it’s very basic and you can follow the AWS documents without difficulties.
  2. Input your RDS infos into AWS Secret Manager.
  3. Setup the Role for your EC2 instance to be able to retrieve your secret.
  4. Follow 2 methods to retrieve your secret and configure your wp-config.php.

Also Read: How to Install WordPress on AWS

Step 1: Create the RDS database

In case you already have a RDS database, you can pass this step. In case you don’t have, you can follow the AWS document here.

Step 2: Input your RDS infos into AWS Secret Manager

  1. Sign in to the AWS Secrets Manager console here.
  2. On either the service introduction page or the secrets list page, choose Store a new secret.
  3. On the Store a new secret page, choose Credentials for RDS database. You have to specify the user name and password of your RDS DB, then select which RDS DB in the bottom of page. After done, click Next.
Credentials for RDS Database
  1. On the next page, you have to specify your Secret name which is used to retrieve your secret.
  2. In step 3 – Configure rotation, you can select option Enable automatic rotation that helps you to rotate your secret with the rotation interval you specify.  But in this tutorial, I think you should select Disable automatic rotation. Then you click Next to review and Store.
Configure Rotation

Note: the rotation configuration is a little complicated, when you choose enable automatic rotation, AWS automatically create a lambda to handle that. You have to add some policy into the role of lambda to make it work with Public access option from RDS Database. In case your RDS DB is private – only access within VPC, you have to setup the VPC endpoint. Don’t worry if your rotation failed, you still reach the goal of this post – hiding DB info in wp-config.php . I will write a specific post about AWS Secret Manager rotation.

Step 3: Setup the Role for your EC2 instance to be able to retrieve your secret

In order to retrieve your secret, your wordpress server need credentials to access AWS Secret Manager. If you use EC2 instance for your wordpress server, you can attach a role to it, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you.

I don’t show how to create a role because it’s so basic. You just need create the role and attach the policy name SecretsManagerReadWrite and IAMFullAccess that provided by AWS.

Step 4: Follow 2 methods to retrieve your secret and configure your wp-config.php

Until this step, you’ve already done for setup. All you need now is to retrieve your secret in wordpress server. You can do it by 2 methods AWS CLI and AWS SDK for php. I’ll use the second method for input the db info into wp-config.php .

Method 1: AWS CLI

You can use this method first to validate if the setup is going well.

To see the all of the details of your secret except the encrypted text:

$ aws secretsmanager descibe-secret –secret-id <secret_name>
{
“Name”: “rdsmysql2”,
“VersionIdsToStages”: {
“XXXXXXXYYYYYYZZZZZZZZ”: [
“AWSCURRENT”
]
},
“RotationRules”: {
“AutomaticallyAfterDays”: 1
},
“LastChangedDate”: 1534396284.09,
“RotationLambdaARN”: “arn:aws:lambda:us-east-1:847539729282:function:SecretsManagerXXXXXXXXXXXXXXXXXXX”,
“RotationEnabled”: true,
“LastAccessedDate”: 1534377600.0,
“ARN”: “arn:aws:secretsmanager:us-east-1:YYYYYYYYYY:secret:rdsmysql2-ABCDEF”,
“Description”: “Access to rdsmysql2”
}

To see the encrypted text in your secret:

$ aws secretsmanager get-secret-value –secret-id rdsmysql2 –version-stage AWSCURRENT
{
“Name”: “rdsmysql2”,
“VersionId”: “cec40505-f9d0-41c1-ac59-0cae143124fa”,
“SecretString”: “{\”username\”:\”admin\”,\”password\”:\”justexamplepass\”,\”engine\”:\”mysql\”,\”host\”:\”rdsmysql2.justexample.us-east-1.rds.amazonaws.com\”,\”port\”:3306,\”dbname\”:\”rdsmysql2\”,\”dbInstanceIdentifier\”:\”rdsmysql2\”}”,
“VersionStages”: [
“AWSCURRENT”
],
“CreatedDate”: 1534321862.084,
“ARN”: “arn:aws:secretsmanager:us-east-1:847539729282:secret:rdsmysql2-MowqVc”
}

Or in case you only want to take the info DB and use these info to connect DB, you just need create the bash shell file like this:

#!/bin/bash
secret=$(aws secretsmanager get-secret-value –secret-id rdsmysql2 | jq .SecretString | jq fromjson)
user=$(echo $secret | jq -r .username)
password=$(echo $secret | jq -r .password)
endpoint=$(echo $secret | jq -r .host)
port=$(echo $secret | jq -r .port)
mysql -h $endpoint -u $user -P $port -p$password

If you can access well, it means you are in the right way.

Method 2: AWS SDK PHP

First you need install AWS SDK PHP and know how to put it into php, you can find the document here.

Then edit the wp-config.php like below:

<?php

require ‘/path/to/your/aws.phar’;

use Aws\SecretsManager\SecretsManagerClient;

$client = new SecretsManagerClient([
‘version’ => ‘latest’,
‘region’ => ‘<region_aws_manager>’
]);

$result = $client->getSecretValue([
‘SecretId’ => ‘<your_secret_name’,
‘VersionStage’ => ‘AWSCURRENT’,
]);

// Get string of db values from results. The string is json
$secretjson = $result[‘SecretString’];

// Decode the json
$secrets = json_decode($secretjson,true);

$database = $secrets[‘dbname’];
$username = $secrets[‘username’];
$password = $secrets[‘password’];
$host = $secrets[‘host’];

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, $database);

/** MySQL database username */
define(‘DB_USER’, $username);

/** MySQL database password */
define(‘DB_PASSWORD’, $password);

/** MySQL hostname */
define(‘DB_HOST’, $host);

?>

Okay it’s done, you can verify your connection by going to your website address. As you see, there are not DB info directly in your wp-config.php anymore.

Summary

It’s all for setting up AWS Secret Manager, it’s easy right? Actually i just practice and deployed this service yesterday so i don’t have much experience.

Maybe there’s some error in this post, if you find something bad, not right, thanks so much to leave a comment to help me recheck.

Thanks for reading and have a nice day.

Reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/tutorials_basic.html

https://forums.aws.amazon.com/thread.jspa?threadID=280347&tstart=0

Share This:

Popular on WPSteam Right Now!

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other subscribers

I need help with...

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 22 other subscribers

I need help with...