Guides
Start typing to search…

Secrets Storage

Secrets Storage

Overview

This page outlines recommended practices for securely storing Auth0 client IDs and client secrets using AWS Secrets Manager or AWS Systems Manager Parameter Store. Proper secret management enhances security, enables automated rotation, and centralizes access control.

Goals

  • Securely store Auth0 credentials (clientId and clientSecret)
  • Centralize secret management in AWS
  • Enable fine-grained access control via IAM
  • Support automatic secret rotation
  • Integrate seamlessly with application code and CI/CD pipelines

Options

  • AWS Secrets Manager - Designed for secret storage with built-in rotation and audit
  • AWS Systems Manager Parameter Store - Lightweight storage; supports encryption via KMS

AWS Secrets Manager

Benefits

  • Managed secret lifecycle with customizable rotation using AWS Lambda
  • Versioning and staging labels for safe rollover
  • Integrated audit logging via AWS CloudTrail
  • Fine-grained resource policies

Implementation Steps

Create a new secret in AWS Secrets Manager

Create a secret in AWS Secrets manager and place the clientId and secret inside:

{"clientId": "YOUR_AUTH0_CLIENT_ID", "clientSecret": "YOUR_AUTH0_CLIENT_SECRET"}

Accessing the secret from code

  • Use AWS SDK (e.g., boto3, aws-sdk-go)
  • Fetch and parse JSON payload at application startup or on demand

IAM Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:auth0/credentials-??????"
    }
  ]
}

AWS Systems Manager Parameter Store

Benefits

  • Integrated with SSM for configuration management
  • Supports SecureString parameters encrypted with AWS KMS
  • Lower cost for basic encryption use cases

Implementation Steps

Create a SecureString parameter

aws ssm put-parameter \
  --name "/auth0/credentials" \
  --type "SecureString" \
  --value "{\"clientId\": \"YOUR_AUTH0_CLIENT_ID\", \"clientSecret\": \"YOUR_AUTH0_CLIENT_SECRET\"}" \
  --key-id champion/secret

Accessing the parameter

  • Use AWS SDK (e.g., GetParameter with Decryption)

IAM Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter",
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:ssm:us-east-1:123456789012:parameter/auth0/credentials",
        "arn:aws:kms:us-east-1:123456789012:key/your-kms-key-id"
      ]
    }
  ]
}

Audit & Monitoring

  • Enable CloudTrail logging for Secrets Manager and Parameter Store events
  • Monitor access patterns and alert on unexpected GetSecretValue or GetParameter calls
  • Tag secrets and parameters for cost allocation and compliance

Summary

Centralizing Auth0 credentials in AWS-managed secret stores increases security, simplifies rotation, and provides a single source of truth. Choose Secrets Manager for full-featured secret lifecycle management or Parameter Store for lightweight, encrypted configuration storage. Implement strict IAM policies, automate rotation, and monitor access for compliance and operational visibility.

Updated 12 days ago