Secret Management
All secrets are stored in AWS Secrets Manager under the il-central-1 region.
â ïļ Important: All secrets are stored twice, and values may differ:
- Production secrets: Under the
legionsecurityAWS account- Development secrets: Under the
legionsecurity-devAWS accountð Always make sure to update secrets in both accounts when making changes.
Backend Secretsâ
- Secret manager instance:
backend_secrets - Location:
AWS ConsoleâLogin to dev/prod accountâSecrets ManagerâRegion: il-central-1â Selectbackend_secretsâ ClickRetrieve/Edit
Using secrets locally for testingâ
To run tests locally, all secrets must be copied into a .env file, as they are loaded from it during tests.
We provide a script to help with this:
- Ensure you're logged in via AWS SSO:
aws sso login --sso-session {sso-session-name} - In the backend repo, run:
py scripts/generate_env_secrets.py - After execution, the script will output all secrets. Copy and paste them into your .env file under the appropriate section.
Infrastructure (Infra) Secretsâ
- Stored under:
infra_secrets - Location:
AWS ConsoleâLogin to dev/prod accountâSecrets ManagerâRegion: il-central-1â Selectinfra_secretsâ ClickRetrieve/Edit
Deployment behaviourâ
During infrastructure deployment, secrets are pulled from this central location in il-central-1 and propagated to all other deployed regions (only if they are configured and used in the Pulumi infra setup)
How to add a new secretâ
- Determine the correct storage location:
backend_secrets- the secret is used at runtime by the backend service.infra_secrets- the secret itself is required for the infra deployment (e.g. api key for Cloudflare to configure DNS entires)
- Add the secret in the
il-central-1region in both the dev and prod Secret Manager stores - Add the new secret to the Pulumi server infra configuration
- Run the Pulumi infra deployment in all regions (this will add the new secret to the service runtime)