# AWS Secrets Manager Hush Provider

[![Build Status](](
[![Coverage Status](](
[![ version](](
[![ downloads](]([LICENSE](

This package provides a [Hush]( Provider to resolve Amazon Web Services's [Secrets Manager]( secrets.

Documentation can be found at [](

## Installation

The package can be installed by adding `hush_aws_secrets_manager` to your list
of dependencies in `mix.exs`:

def deps do
    {:hush, "~> 1.0"},
    {:hush_aws_secrets_manager, "~> 1.0.0"}

This module relies on `ex_aws` to talk to the AWS API. As such you need to configure it, below is an example, but you can read alternative ways of configuring it in [their documentation](

As the provider needs to start `ex_aws` application, it needs to registered as a provider in `hush`, so that it gets loaded during startup.

# config/config.exs

alias Hush.Provider.AwsSecretsManager

config :ex_aws,
  access_key_id: [{:system, "AWS_ACCESS_KEY_ID"}],
  secret_access_key: [{:system, "AWS_SECRET_ACCESS_KEY"}]

# ensure hush loads AwsSecretsManager during startup
config :hush,
  providers: [AwsSecretsManager]

### AWS Authorization

In order to retrieve secrets from AWS, ensure the service account you use has a similar policy as:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [

## Usage

The following example reads the password and the pool size for CloudSQL from secret manager into the ecto repo configuration.

# config/prod.exs

alias Hush.Provider.AwsSecretsManager

config :app, App.Repo,
  password: {:hush, AwsSecretsManager, "CLOUDSQL_PASSWORD"},
  pool_size: {:hush, AwsSecretsManager, "ECTO_POOL_SIZE", cast: :integer, default: 10}

## License

Hush is released under the Apache License 2.0 - see the [LICENSE](LICENSE) file.