Integrating AWS Secrets Manager with Viper in Golang

Learn to integrate Viper & AWS Secrets Manager in Gin Golang projects for secure app configuration, improved error handling & production readiness.

Apr 18, 2023

Introduction:

Managing and securing application configurations, such as database credentials, API keys, and other sensitive data, is a critical aspect of software development. AWS Secrets Manager is a robust service that enables you to store, retrieve, and manage secrets securely. Viper is a popular Go library for managing configuration with ease. In this article, we will discuss how to integrate Viper in a Gin Golang project with AWS Secrets Manager to retrieve and manage configurations securely in a production environment.

Prerequisites:

Go installed (version 1.13 or higher).
AWS CLI installed and configured with the necessary permissions.
Familiarity with Golang, Gin framework, and AWS Secrets Manager.

Step 1: Install Required Packages

We need to install the AWS SDK for Go, Gin, and Viper packages. You can do this using the go get command:

go get github.com/aws/aws-sdk-go
go get github.com/gin-gonic/gin
go get github.com/spf13/viper

Step 2: Create a Secret in AWS Secrets Manager

Create a new secret in AWS Secrets Manager to store your application’s configuration. You can use the AWS Management Console or the AWS CLI to create the secret.

For this example, we will create a JSON secret with the following format:

{
  "database_url": "your_database_url",
  "api_key": "your_api_key"
}

Replace your_database_url and your_api_key with the actual values.

Step 3: Retrieve the Secret Using AWS SDK for Go

First, import the necessary packages in your Go code:

import (
    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/secretsmanager"
    "github.com/gin-gonic/gin"
    "github.com/spf13/viper"
)

Next, create a function that retrieves the secret from AWS Secrets Manager:

func getSecretFromAWSSecretManager(secretName string, region string) (string, error) {
    sess, err := session.NewSession(&aws.Config{
        Region: aws.String(region)},
    )
if err != nil {
        return "", err
    }
    svc := secretsmanager.New(sess)
    input := &secretsmanager.GetSecretValueInput{
        SecretId: aws.String(secretName),
    }
    result, err := svc.GetSecretValue(input)
    if err != nil {
        return "", err
    }
    return *result.SecretString, nil
}

Step 4: Configure Viper to Use AWS Secrets Manager

Now, create a function that initializes Viper with the configuration retrieved from AWS Secrets Manager:

func initConfig(secretName, region string) error {
    secret, err := getSecretFromAWSSecretManager(secretName, region)
    if err != nil {
        return err
    }

    viper.SetConfigType("json")
    err = viper.ReadConfig(strings.NewReader(secret))
    if err != nil {
        return err
    }
    return nil
}

Step 5: Create a Gin Middleware for Configuration

Create a Gin middleware to make the configuration available to handlers via Gin’s context:

func configMiddleware() gin.HandlerFunc {
    return func(c *gin.Context) {
        c.Set("config", viper.AllSettings())
        c.Next()
    }
}

Step 6: Setup Gin and Middleware

In the main function, set up Gin and use the middleware:

func main() {
      err := initConfig
      err := initConfig("your_secret_name", "your_aws_region")
          if err != nil {
              log.Fatalf("Error initializing config: %v", err)
          }
      
          r := gin.Default()
          r.Use(configMiddleware())
      
          r.GET("/ping", func(c *gin.Context) {
              config := c.MustGet("config").(map[string]interface{})
              c.JSON(200, gin.H{
                  "message": "pong",
                  "config":  config,
              })
          })
      
          r.Run() // listen and serve on 0.0.0.0:8080
}

Replace your_secret_name and your_aws_region with the actual values.

Step 7: Accessing the Configuration Values

You can now access the configuration values in your Gin handlers using the context:

func someHandler(c *gin.Context) {
    config := c.MustGet("config").(map[string]interface{})
    databaseURL := config["database_url"].(string)
    apiKey := config["api_key"].(string)

    // Your handler logic
}

Conclusion:

In this article, we have demonstrated how to integrate Viper in a Gin Golang project with AWS Secrets Manager to securely manage application configurations in a production environment. By following these steps, you can easily set up your Gin projects to retrieve sensitive data from AWS Secrets Manager and use it with Viper for seamless configuration management.

Additional Considerations:

Error Handling and Logging: In a production environment, it's crucial to implement proper error handling and logging. Make sure you handle any errors that may occur while retrieving secrets or initializing Viper, and log them accordingly for better traceability.
Caching Secrets: In production scenarios, it is essential to cache secrets locally to minimize the number of requests to AWS Secrets Manager, reducing latency and costs. You can implement a caching mechanism to store secrets and periodically refresh them.
Secure Communication: When working with sensitive data, ensure that your application uses HTTPS to encrypt communications between the client and the server. Using HTTPS will help protect your application from potential eavesdropping and man-in-the-middle attacks.

Hacktivate

Discussion about this post