Skip to main content

AWS DynamoDB

Secrets are stored in a AWS DynamoDB Table. In order to protect secrets you can rely on encryption at rest or add additional encrypter to encrypt and decrypt secret before accessing it.

Installation

npm install @farbor/secret-storage-aws-dynamo @aws-sdk/client-dynamodb luxon

Usage

import {SecretKeyStorageAwsDynamo} from "@farbor/secret-key-storage-aws-dynamo";
import {DynamoDBClient} from '@aws-sdk/client-dynamodb';
import {Duration} from 'luxon';

const storage = new SecretKeyStorageAwsDynamo(
new DynamoDBClient({}),
{
tableName: 'your-table-name',
// encrypter: yourEncrypter, // set it to use custom encryption
cacheTtl: Duration.from({hours: 5}) // store secret for 5 hours once retrieved
}
)

Table creation

Just create DynamoDB table with following key schema:

  • keyId - string
info

On demand capacity mode is easiest to use but feel free to change it to provisioned if you know your traffic.

Consistency

Retrieval of secret is using consistent reads to ensure that the most recent version of the secret is returned.

FAQ

Why AWS DynamoDB instead of AWS Secrets Manager?

AWS DynamoDB is simply more cost effective.

Estimation for 100 secrets (or in other words - 100 users) and roughly 1000 reads a day

Decision is up to you.