Secret Management
All secrets are stored in AWS Secrets Manager under the il-central-1 region.
⚠️ Important: All secrets are stored twice, and values may differ:
- Production secrets: Under the
legionsecurityAWS account- Development secrets: Under the
legionsecurity-devAWS account👉 Always make sure to update secrets in both accounts when making changes.
Backend Secrets
- Secret manager instance:
backend_secrets - Location:
AWS Console→Login to dev/prod account→Secrets Manager→Region: il-central-1→ Selectbackend_secrets→ ClickRetrieve/Edit
Using secrets locally for testing
To run tests locally, all secrets must be copied into a .env file, as they are loaded from it during tests.
We provide a script to help with this:
- Ensure you're logged in via AWS SSO:
aws sso login --sso-session {sso-session-name} - In the backend repo, run:
py scripts/generate_env_secrets.py - After execution, the script will output all secrets. Copy and paste them into your .env file under the appropriate section.
Infrastructure (Infra) Secrets
- Stored under:
infra_secrets - Location:
AWS Console→Login to dev/prod account→Secrets Manager→Region: il-central-1→ Selectinfra_secrets→ ClickRetrieve/Edit
Deployment behaviour
During infrastructure deployment, secrets are pulled from this central location in il-central-1 and propagated to all other deployed regions (only if they are configured and used in the Pulumi infra setup)
How to add a new secret
- Determine the correct storage location:
backend_secrets- the secret is used at runtime by the backend service.infra_secrets- the secret itself is required for the infra deployment (e.g. api key for Cloudflare to configure DNS entires)
- Add the secret in the
il-central-1region in both the dev and prod Secret Manager stores - Add the new secret to the Pulumi server infra configuration
- Run the Pulumi infra deployment in all regions (this will add the new secret to the service runtime)