Skip to main content

Retrieving a Momento API Key from AWS Secrets Manager

It's best practice to securely store your Momento API Key. If you are using AWS, you can securely store the auth token in AWS Secrets Manager. With that, only code running with the correct IAM credentials will be able to fetch the API key and use it to access Momento Cache or Momento Topics.

info

Just as you should reuse your Momento CacheClient and TopicClient objects when possible, so should you with the Momento auth token from AWS Secrets Manager. Otherwise you risk adding cost, both in time and money, to each Momento API call for the round trip to AWS Secrets Manager. To keep cost low and avoid potential throttling by AWS Secrets Manager it's best to use client side caching of the credentials as detailed in this AWS blog.

Entry in AWS Secrets Manager

When inserting the Momento API key into AWS Secrets Manager, it should be as plaintext with no JSON as in this screenshot. (Token blurred for security.)

AWS Secrets Manager

Example Code for AWS Secrets Manager

final Region region = Region.of("us-east-1");

// Create a Secrets Manager client
final SecretsManagerClient client =
    SecretsManagerClient.builder()
        .region(region)
        // make sure to configure aws credentials in order to use the default provider
        // https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/auth/credentials/DefaultCredentialsProvider.html
        .credentialsProvider(DefaultCredentialsProvider.create())
        .build();

final GetSecretValueRequest getSecretValueRequest =
    GetSecretValueRequest.builder().secretId("AUTH_TOKEN_SECRET_NAME").build();

final GetSecretValueResponse getSecretValueResponse;

try {
  getSecretValueResponse = client.getSecretValue(getSecretValueRequest);
} catch (Exception e) {
  // For a list of exceptions thrown, see
  // https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
  throw e;
}

final String secret = getSecretValueResponse.secretString();
try {
  // store variable here
  CredentialProvider.fromString(secret);
} catch (SdkException e) {
  throw new RuntimeException(
      "An error occured while parsing the secrets manager vended" + " authentication token", e);
}

FAQ

Do I have to do this?
No. You can store your Momento auth token in an environment variable or a file, but that is not best practice as it is not as secure as storing it in something like AWS Secrets Manager.