Using AWS Vault to manage credentials
Instead of using a jceks file to store credentials, or exposing your user name and password through some other means of credential management, you learn how to use AWS Secrets Service for storing credentials in the AWS Vault.
- Log into AWS.
- From the IAM console > Roles on AWS select your role.
- Click your IAM role to navigate to its summary, and copy the Role ARN.
- Create your AWS secret or look for it in your .aws/credentials directory.
-
In the AWS Secrets manager, modify secrets permissions, substituting your role
arn and secret resource arn for the variables:
{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::NNNN:role/env-AAAAAA-dwx-stack-NodeInstanceRole-XXXXXX" }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "arn:aws:secretsmanager:us-west-2:NNNN:secret:<secret-name>-dsffd" } ] } -
Create a table that specifies the JDBC-URL, your role arn, and secrets arn in the table properties.
For example:
ceate external table customer_address ( column definitions ... ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' TBLPROPERTIES ( "hive.sql.database.type" = 'POSTGRES', "hive.sql.jdbc.driver" = 'com.mysql.jdbc.Driver', "hive.sql.jdbc.url" = '<jdbc-url>', "hive.sql.dbcp.username" = '<role-name>', "hive.sql.dbcp.password.uri" = 'aws-sm:///<secret-arn>', "hive.sql.table" = "<table-name>" ); -
Create a Hive table that specifies the JDBC-URL, your database user name, and secrets arn in the table properties.
create external table customer_address ( column definitions ... ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' TBLPROPERTIES ( "hive.sql.database.type" = 'POSTGRES', "hive.sql.jdbc.driver" = 'org.postgresql.Driver', "hive.sql.jdbc.url" = '<jdbc-url>', "hive.sql.dbcp.username" = '<database-user-name>', "hive.sql.dbcp.password.uri" = 'aws-sm:///<secret-arn>', "hive.sql.table" = "<table-name>" );Only the password field is extracted from the secret.
